4G/LTE - Basic Procedures  

 

 

 

Cell ID Detection and System Information Detection

What is happening at the very first when you first power on (or Switching Airplane Mode On to Off) is to detect a cell around the UE (e.g, mobile phone). This would be the most important process happening inside of the UE in terms of celluar protocol point of view. The overall procedure of the initial detection of a cell can be described as below.

    i) Frequency Aquisition

    ii) Primary Sync Signal Aquisition (Slot Timing Aquired, Secondary Sync Signal Scrambling Code Aquired). From this, N_id_2 is found.

    iii) Secondary Sync Signal Aquisition (Frame timing Aquired, Cell Group ID sequence aquired). From this, N_id_1 is found.

    iv) with PSS(N_id_2) and SSS(N_id_1), Cell ID can be calculated

    v) with Cell ID, Reference Signal Location is detected

    vi) With the help of Reference Signal, PBCH (MIB) can be detected

    vii) From MIB, SFN and System BW can be detected

    viii) Decode PCFICH and detect how many symbols are allocated for PDCCH.

    ix) Decode DCI for SIB1 from PDCCH.

    x) Decode SIB1 and get the scheduling information for other SIBs

    xi) Decode SIBs (other than SIB1)

One of the most important step for testing/troubleshooting around the initial registration is to check whether UE successfully complete the time-sync (step i) and ii)), but it is very hard to check this step with any kind of equipment. One way to easily check whether UE succeeded in time-sync or not is to check from UE log whether UE successfuly decoded Cell ID or not. If UE successfully detected Cell ID, it means UE successfully completed the time-sync.

One of the common questions that I got from this page was "It is possible for a UE to decode MIB without detecting reference signal ?"..i.e.. "Is reference signal a mandatory precondition for MIB decoding ?".

I think theoretically UE can decode MIB without any help of Reference Signal since all the information which is needed for decoding MIB is predefined in 3GPP specification.

I also had an experience of testing a chipset at very early development stage. At that time, an equipment and the device is directly connected at base band I/Q signal. So we can assume the signal quality is almost ideal. The chipset were able to decode MIB without detecting Reference Signal. But in reality with RF, it would be very tricky to decode MIB properly without any help of reference signal detection before it. Usually UE try to detect/estimate reference signal and configure its Equalizer properly and then try to decode MIB.

Cell Detection / Search in Python

I wrote this in a separate note here. If you are interested in DSP level of understanding on this process, I would suggest you to check out this note.

Cell Detection / Search in Matlab LTE Toolbox

NOTE : The most fundamental function in the list would be downlinkSubframeOffset which returns the timing offset between the start of the input I/Q data and the start of the first subframe. But this is an internal function of LteToolbox and the documentation is not avilable in public. You need to install LteToolbox and look into the source code if you want to get the detailed documentation on this function.

PSS generation in Time Domain

One of the most critical procedure in the Cell detection would be PSS and SSS detection. Usually PSS detection happens in TimeDomain before it is possible to generate resource grid. But PSS sequence in 3GPP is defined as a frequency domain within the resource grid. Therefore, to detect PSS in time domain we need to generate PSS signal in time domain. This process (i.e, generate PSS in time domain) is done by downlinkSubframeOffset and overall procedure is as follows.

    i) Create an empty resource grid. Usually generate resource grid with 6 RBs.

    ii) Generate PSS data as specified in 3GPP

    iii) Put the PSS data into the resource grid

    iv) Perform OFDM modulation (this is done by lteOFDMModulate. It performs DC subcarrier insertion, inverse fast Fourier transform (IFFT) calculation, cyclic prefix insertion, and optional raised cosine windowing and overlapping of adjacent OFDM symbols of the complex symbols in the resource array, grid ).

Consideration of Sampling Rate

Generating a time-domain PSS for LTE cell detection starts from the standard frequency-domain definition, but the receiver must finally work in the time domain. So the implementation is not just about creating the Zadoff-Chu sequence itself. It is also about matching the time resolution of the reference signal to the time resolution of the received IQ samples. In practice, this leads to two main approaches. One is to generate a wideband time-domain template by zero-padding and using a large IFFT. The other is to reduce the received signal bandwidth first and then use a smaller IFFT-based template. Both methods are valid. The key point is that the generated PSS template and the received signal must be aligned in sampling rate and bandwidth for correlation to work properly.

  • LTE PSS starts from frequency-domain definition
    • LTE PSS is defined as a 62-symbol Zadoff-Chu sequence.
    • It is mapped into the center 6 RB region.
    • This mapping leaves 5 guard subcarriers on each side.
    • The DC subcarrier is set to null.
    • After this mapping, IFFT is applied to generate the time-domain waveform.
  • Main implementation issue is sampling-rate alignment
    • The time-domain PSS template must have the same sampling interval as the received IQ data.
    • If the template and input signal have different sample spacing, cross-correlation does not line up correctly.
    • So the implementation is not only about generating the sequence.
    • It is also about matching the reference waveform to the receiver processing path.
  • There are two practical ways to solve the mismatch
    • Upsampling path using zero-padding
      • This starts from the same 6 RB frequency-domain PSS mapping.
      • The grid is padded with zeros up to the larger FFT size.
      • For a 20 MHz LTE capture at 30.72 MHz sampling, this is typically a 2048-point IFFT.
      • The result is a high-resolution time-domain PSS template.
      • This template directly matches the sample spacing of the wideband received signal.
      • This approach is common in simulation and transmitter-side waveform generation.
    • Decimation path using filtering and downsampling
      • This starts from the received wideband signal.
      • First, a digital low-pass filter keeps only the bandwidth that contains the PSS.
      • Then the signal is downsampled to a lower rate such as 1.92 MHz.
      • At this lower rate, a 128-point IFFT template becomes a natural match.
      • This reduces computational load significantly.
      • This is closer to the way practical UE cell search is implemented.
  • Filtering is mandatory before decimation
    • If downsampling is done without filtering, out-of-band energy folds into the wanted band.
    • This creates aliasing.
    • Aliasing degrades the correlation result.
    • In severe cases, it can bury the PSS peak.
  • Lower-rate template is mathematically sufficient
    • The PSS occupies only a limited bandwidth.
    • Its useful bandwidth is much smaller than the full LTE carrier bandwidth.
    • Therefore a 1.92 MHz processing path is enough to preserve the full PSS information.
    • This is why reduced-rate cell search is practical and efficient.
  • Design focus differs between the two approaches
    • 1.92 MHz template with 128-point IFFT
      • Good for low-complexity receiver processing.
      • Good for UE initial cell search.
      • Usually requires filtering and decimation of the input signal first.
    • 30.72 MHz template with 2048-point IFFT
      • Good for direct comparison with full-band captured IQ.
      • Good for simulation, visualization, and transmitter modeling.
      • Usually requires zero-padding in the frequency-domain grid.
  • Practical conclusion
    • There is no single universally correct FFT size by itself.
    • The correct choice depends on the sampling rate of the signal used for correlation.
    • The template and the received signal must be represented on the same time-domain scale.
    • Once this alignment is achieved, both approaches can detect the LTE PSS correctly.

SSS generation in Time Domain

Time Domain SSS generation is done in the same way as it does for PSS .

    i) Create an empty resource grid. Usually generate resource grid with 6 RBs.

    ii) Generate SSS data as specified in 3GPP

    iii) Put the SSS data into the resource grid

    iv) Perform OFDM modulation (this is done by lteOFDMModulate. It performs DC subcarrier insertion, inverse fast Fourier transform (IFFT) calculation, cyclic prefix insertion, and optional raised cosine windowing and overlapping of adjacent OFDM symbols of the complex symbols in the resource array, grid ).

NOTE : Even though it is possible to generate the SSS directly in the time domain using the same procedure as PSS (i.e., mapping the sequence into the resource grid and performing OFDM modulation), in practice this approach is rarely used. In real LTE receivers, SSS detection is almost always performed in the frequency domain after OFDM demodulation, where the received signal is already represented as a resource grid. Therefore, SSS correlation is typically done directly on the subcarriers of the resource grid rather than using a time-domain template.

Perform Correlation for PSS/SSS and Captured IQ

LTE cell search can be understood as a step-by-step synchronization process that gradually transforms an unknown stream of time-domain samples into a structured and synchronized resource grid. At the beginning, the receiver has no knowledge about symbol timing, frame timing, or cell identity. Through a sequence of detection stages using PSS and SSS, the receiver progressively acquires this information. This process naturally follows a coarse-to-fine synchronization pipeline. First, the receiver performs coarse timing and sector identification using the PSS in the time domain. Next, it converts the aligned samples into a frequency-domain grid through OFDM demodulation. Finally, it performs SSS detection in the frequency domain to determine the full Physical Cell ID and the exact frame boundary. Once these steps are complete, the receiver has a fully synchronized resource grid and can proceed to decode higher-layer broadcast information such as the MIB on PBCH.

  • LTE synchronization can be viewed as a coarse-to-fine pipeline
    • The receiver starts with raw time-domain IQ samples.
    • At this stage, it does not know symbol timing.
    • It does not know frame timing.
    • It does not know the full physical cell identity.
    • The goal is to gradually convert this unknown waveform into a synchronized frequency-domain resource grid.
  • Phase 1 is time-domain synchronization using PSS
    • The main goal is to find coarse timing and sector identity.
    • The receiver generates three reference PSS templates.
      • These correspond to NID2 = 0, 1, 2.
      • The templates are generated in time domain from the standardized frequency-domain PSS definition.
      • Depending on implementation, the template may be based on a 128-point IFFT or a 2048-point IFFT.
    • The receiver performs sliding correlation against the incoming IQ samples.
      • Each template is shifted across the received signal.
      • At each position, the receiver computes correlation magnitude.
      • This searches for the point where the received waveform best matches one of the PSS templates.
    • The receiver detects the strongest peak.
      • The peak position gives the timing of the PSS symbol.
      • In practical interpretation, this gives the end of the PSS symbol.
      • This also gives a reference for the 5 ms half-frame boundary.
    • The winning template identifies NID2.
      • This is the sector identity within the physical cell ID structure.
      • At this point, the receiver knows only part of the full PCI.
    • The receiver may also estimate coarse frequency offset from the PSS correlation.
      • This is usually obtained from the phase behavior of the correlation result.
      • The received IQ data can then be rotated to compensate for this coarse frequency offset.
      • This improves the reliability of the next synchronization stages.
  • Phase 2 is the transition from time domain to frequency domain
    • The main goal is to construct a properly aligned resource-grid view of the synchronization signals.
    • Once the PSS location is known, the receiver determines the SSS symbol position.
      • The SSS is located exactly one OFDM symbol before the PSS in LTE.
      • So the receiver moves backward by one symbol duration from the detected PSS position.
    • The receiver extracts the SSS OFDM symbol window.
      • It selects the correct sample range for the SSS symbol.
      • This must be aligned using the timing information obtained from PSS detection.
    • The cyclic prefix is removed.
      • The CP samples at the start of the symbol are discarded.
      • This leaves only the useful OFDM symbol part.
    • FFT is applied to the useful symbol samples.
      • This converts the signal from time domain into frequency domain.
      • The output is a set of subcarrier-domain complex values.
    • The receiver extracts the central synchronization region.
      • It takes the center 72 subcarriers corresponding to 6 RBs.
      • It removes the DC subcarrier at the center.
      • The result is a 62-element frequency-domain vector for SSS processing.
      • This vector is often written as RSSS.
  • Phase 3 is frequency-domain synchronization using SSS
    • The main goal is to determine the full physical cell ID and the exact 10 ms frame boundary.
    • The receiver generates SSS hypotheses.
      • There are 168 possible values of NID1.
      • For each NID1, the SSS sequence depends on whether it is in subframe 0 or subframe 5.
      • So the receiver must consider both half-frame possibilities.
    • The receiver performs frequency-domain correlation.
      • The received 62-element SSS vector is compared with candidate SSS sequences.
      • This is typically done by point-by-point complex multiplication and accumulation.
      • In other words, the receiver performs a dot-product style correlation in frequency domain.
    • The best matching candidate determines NID1.
      • Once NID1 is found, the receiver now has the remaining part of the physical cell identity.
    • The full PCI is then calculated.
      • PCI = 3 x NID1 + NID2.
      • Since NID2 was already obtained from PSS detection, the full cell ID can now be resolved.
    • The matching half-frame hypothesis determines frame timing.
      • If the detected SSS corresponds to the subframe 0 pattern, the receiver is aligned to the frame start.
      • If it corresponds to the subframe 5 pattern, the receiver is aligned to the frame midpoint.
      • This gives the exact 10 ms frame boundary.
  • PSS and SSS have different synchronization roles
    • PSS mainly provides coarse timing and NID2.
      • It is usually detected in time domain.
      • It is well suited for sliding correlation because it must search across unknown sample timing.
    • SSS mainly provides NID1 and frame timing.
      • It is usually detected in frequency domain.
      • It is processed after OFDM demodulation because the receiver already has approximate timing from the PSS stage.
  • Full synchronization result is a structured resource grid
    • The receiver now knows where symbol boundaries are located.
    • It knows the 5 ms and 10 ms timing structure.
    • It knows the full physical cell ID.
    • It has compensated at least coarse frequency offset.
    • It can now build a synchronized LTE resource grid for further processing.
  • Practical outcome is readiness for broadcast channel decoding
    • Once timing and cell identity are known, the receiver can locate PBCH correctly.
    • Then it can decode the MIB.
    • This is the point where initial LTE cell acquisition becomes a usable synchronized communication link.

Cell Detection / Search in srsRAN

If you are interested in this process at the source code level of the protocol stack, I would suggest you to look into the openSource srsRAN. Following APIs can be good places for you to start. This list is from the master-branch of the code that was downloaded on Oct 8,2021

  • srsran_pss_generate() -> \lib\src\phy\sync\pss.c
  • srsran_pss_init_N_id_2() -> \lib\src\phy\sync\pss.c
  • srsran_pss_find_pss() -> \lib\src\phy\sync\pss.c
  • All functions -> \lib\src\phy\sync\gen_sss.c
  • srsran_sss_N_id_1() -> \lib\src\phy\sync\sss.c
  • srsran_sss_m0m1_diff_coh()  -> \lib\src\phy\sync\find_sss.c
  • srsran_sync_find() -> \lib\src\phy\sync\sync.c
  • srsran_sync_get_cell_id() -> \lib\src\phy\sync\sync.c
  • srsran_sync_detect_cp() -> \lib\src\phy\sync\sync.c
  • sync_sss_symbol() -> \lib\src\phy\sync\sync.c
  • cfo_cp_estimate()  -> \lib\src\phy\sync\sync.c
  • cfo_i_estimate() -> \lib\src\phy\sync\sync.c
  • srsran_ue_sync_get_sfn() -> \lib\src\phy\ue\ue_sync.c
  • find_peak_ok() -> \lib\src\phy\ue\ue_sync.c
  • track_peak_ok() -> \lib\src\phy\ue\ue_sync.c
  • srsran_ue_sync_run_find_pss_mode() -> \lib\src\phy\ue\ue_sync.c
  • srsran_ue_sync_run_track_pss_mode() -> \lib\src\phy\ue\ue_sync.c
  • srsran_ue_cellsearch_scan_N_id_2() -> \lib\src\phy\ue\ue_cell_search.c
  • srsran_ue_cellsearch_scan() -> \lib\src\phy\ue\ue_cell_search.c
  • get_cell() -> \lib\src\phy\ue\ue_cell_search.c
  • srsran_pbch_cp() -> \lib\src\phy\phch\pbch.c
  • srsran_pbch_get() -> \lib\src\phy\phch\pbch.c
  • srsran_pbch_decode() -> \lib\src\phy\phch\pbch.c
  • srsran_ue_mib_decode() -> \lib\src\phy\ue\ue_mib.c
  • srsran_ue_mib_sync_set_cell() -> \lib\src\phy\ue\ue_mib.c

Some highlights of implementation of the initial cell detection in srsRAN can be summarized as follows.

Step 1 : Find N_id_2 value as follows (\lib\examples\synch_file.c)

      for (N_id_2 = 0; N_id_2 < 3; N_id_2++) {

        peak_pos[N_id_2] = srsran_pss_find_pss(&pss[N_id_2], input, &peak_value[N_id_2]);

      }

      float max_value = -99999;

      N_id_2          = -1;

      int i;

      for (i = 0; i < 3; i++) {

        if (peak_value[i] > max_value) {

          max_value = peak_value[i];

          N_id_2    = i;

        }

      }

    Sub Step 1 : Generate PSS signal for a given N_id_2 value both in frequency domain and time domain using srsran_pss_init_N_id_2(). srsran_pss_init_N_id_2() generate PSS first in frequency domain using srsran_pss_generate() and convert it to time domain data by ifft.

    Sub Step 2 : Find the correlation peak of PSS in time domain using srsran_pss_find_pss()

     

Step 2 : Find N_id_1 using srsran_sss_N_id_1().

    srsran_sss_N_id_1() is based on many other functions like function in \lib\src\phy\sync\gen_sss.c and functions in \lib\src\phy\sync\sss.c  

     

Step 3 : Calculate Physical Cell ID using srsran_sync_get_cell_id().

    srsran_sync_get_cell_id() calculate the cell ID using N_id_2 and N_id_1 from previous steps.

References :