Measuring your network performance used to require tens of thousands of pieces of customised test equipment. Now it can be done with a phone and very clever software. Here James Body looks at how to use Network Signal Guru to evaluate the performance of a mobile network.
The headline figure of top speed is often seen as the measure of a network, but behind this lies a huge number of components. Only by understanding these can you truly know how well a network is working.
While 5G is about more than speed it’s the metric which is easiest to understand
have an incredible ability to investigate what is going on with a mobile phone network. But getting them to do it is a bit of a problem. You’ll need software that talks to the chip at a very low level and an operating system that will handle that. This means that you need a modified version of Android, and that requires a rooted phone.
Installing Network Signal Guru is then straightforward. At Telet Research we use the full, paid-for version of the application, but as that’s $2,000 a copy we’ll use the free version for this tutorial. One of the advantages of the paid version is that you can record traces, which can then be dropped into a desktop tool that lets you look at the packets in the Wireshark tool. It’s hugely useful for digging into what’s going on. You can see all the changes, all the handoffs, and possibly the most useful exchange, which is the one where you first attach to the network. The first part of the signalling exchange is swapped clear, without any kind of encryption. After the first bit, all the signalling is then encrypted. For us, as people who run a mobile network with multi-operator neutral host, the ability to capture that first couple of clear exchanges is hugely valuable, because with those, you can then gather a lot of information about what is on the end. For example, it will say, “I’m an iPhone 12, these are my capabilities”.
The phone being used here is a Xiaomi Mi 10T Lite, with a Three pay-as-you-go SIM. Using an overseas SIM, which would roam onto all networks, would give more information; for many readers, that would be a SIM tied to their own private or 5GTT network. At Telet Research we make our own multi-IMSI SIMs, which add an additional level of insight.
When you look at the numbers, it’s important to understand decibels. Note the huge difference between receive and transmit power. This handset is receiving at around -90dBm (0.000000001mW) and transmitting at 8dBm (6.3mW). The difference is the path loss - how the radio signal drops off from one end to the other. The mobile-phone mast will be transmitting at a very much higher power, typically 3W. It can receive signal from the handset that puts out a signal of 500 times less power because the base station has a huge antenna array.
The handset has a couple of small antennas which fit in your pocket.
To get a feel for what is a good number to look for, Network Signal Guru colour-codes the numbers. A more numeric way of looking at this is to use the rule of thumb that a reference signal received power of -80dBm or lower, with a reference signal received quality of -10dB or lower and a signal to noise ratio of 20dB or lower is an excellent set of figures. That’s what you see here. In this case, we drove close to the cell site and took the readings outdoors.
A good, solid signal will have a reference signal received power of between -80 and -90dBm, with a reference signal received quality of between -10 and -15dB or lower and a signal to noise ratio of 13 to 20dB.
AN ADEQUATE SET OF figures would be a reference signal received power of between -90 and -100dBm, with a reference signal received quality of between -15 and -20dB and a signal to noise ratio of 0 to 13dB.
A huge amount of information can be gleaned from using Network Signal Guru. It’s a useful tool in many of the stages of setting up a new private or community network. By using it before you start at a new site, you can see what spectrum is being used where. This is invaluable when applying for a local access or shared access licence from Ofcom. You’ll find that the information you receive is very different to the predictive coverage maps that you can see on the web.
When you are building a network use of this tool allows you to see the difference between your predictions and actual results. In a rural environment, coverage changes with the seasons as trees in leaf absorb signals.
Better understanding of all elements of the signals helps you to build a robust network. It shows you where you need and don’t need to fill in with additional coverage. Understanding the effects of multipath, especially indoors, is essential in a commercial environment.
But perhaps the best thing about using Network Signal Guru is that when you are on a call to someone and the line drops and they call back and say “I don’t know what happened there” you will be able to tell them.
BACKWARD COMPATIBILITY IS IMPORTANT IN MOBILE NETWORKS. WHILE 3G IS LIKELY TO BE SWITCHED OFF SOON, WE’LL SEE 2G AND 4G NETWORKS FOR YEARS TO COME
These fields are all empty because the handset is idle
This is the answer to the question “how good is my 5G signal?” It shows the signal strengths for each carrier. The PCI is the Primary Cell Indicator, so this handset can see two cells numbered 406 and 407. There are seven beams across the two cells: the first two, with very similar strengths, are pointing in the same direction
Radio band being used TTD (time division)
The Physical Uplink Control Channel looks after the transmission (Tx) power levels - making sure there is enough oomph to reach the base station without overdoing it
The Physical Uplink Shared Channel is the main uplink (Tx) channel and is used to carry the UL-SCH (Uplink Shared Channel) transport channel. It carries both signalling and user data
New Radio (5G) nonstandalone: uses a 4G core
Central frequency being used Channel bandwidth available
Global Synchronisation Channel Number. This gives a 5G handset a starting point as to where to look for synchronisation information, which is needed to
Timing advance. A mechanism to calculate your distance from the cell. It's a bit like radar. The further away you are from the cell, the bigger the figure. This ensures that the radio waveform, when it arrives at the cell, is all in sync
The Block Error Ratio is the number of blocks received with faulty checksums compared with the number with valid checksums
Signal to noise ratio: no number is shown because the handset is not transmitting
Reference Signal Received Quality is a measurement of the quality of the received reference signal
As this system is NSA, or non-standalone, this system uses both 5G (NR) and 4G (LTE). Here you have complete breakdown of all the component parts within the carrier aggregation. P is the primary band, so the anchor band. In this case, this is being anchored in Band 1, which is 2100 MHz, on an EARFCN, which has a radio frequency channel number of 99
Here, you can see the buildup of carrier aggregation. The primary is 2100 (Band 1). You’ve got a supplementary (S1) channel in Band 3, which has been stitched together with the new radio. Active on this phone are Band 1, Band 3, and N 78 (TD3500 at the top). Those are the three bands you’ve got here
Reference Signal Received Power is the power of the reference signals spread over the full bandwidth and narrowband
The Physical Cell ID eliminates interference when using the same frequency with different cells
The Ns are neighbours. They’re neighbouring cells that your phone can see, but they’re not in traffic. The network is constantly looking to give you the best possible combination. It’s actually the RSRQ, the quality, that gives you the best indication of what’s good. You can have a high power, but because it’s all congested, it’ll be poor quality. A good figure is -10 or higher. Obviously -9 is a higher number than -10
QUALCOMM CHIPSETSThis is a 4G link with two carrier aggregation. It’s listed here as Session 1, which is used for data like email and web, and Session 2, which is used for signalling and voice
The Quality Control Indicator gives the priority for sessions. The lower the number, the higher the priority. A value of 9 means general usage. Signalling and voice get higher priority, so you can still make a SIP voice call even when the network is too congested for data traffic
THE
Evolved Universal Mobile Telecommunications System Terrestrial Radio Access is another term for 4G. When the 3GPP standards body was set up, its mandate was 3G. It wasn’t supposed to discuss 4G or anything else. So a working group called itself 3G Long Term Evolution, the evolution of 3G, which of course was 4G in all but name
This is how the phone and network initiate the connection. RACH stands for random access channel. It’s a sequence of processes between the user’s equipment, the handset, and the cell, and it’s needed for the handset to acquire uplink synchronisation and obtain the specified ID for the radio access communication. There’s a handshake that goes back and forth when you initially try to access, and that’s where it works out the power levels. Depending on what the handset gets from the cell, the handset will then set its own power level that is just sufficient to be able to get back into the cell. This one is transmitting at 8dBm, which is great. It’s in an area of good coverage and the connection succeeded at the first try. If it had failed, the system would have waited four milliseconds and retried 2dB louder. It would repeat this ten times if necessary. This stepping up the power and trying again in
Session 1 uses an IPv4 address, while Session 2 is IPv6
CSCF sets up, monitors, supports and releases multimedia sessions. There are none in use on this screen
Aggregate Maximum Bit Rate is the maximum possible bit rate that the session can run at. It provides way more headroom than the rest of the device can maintain. This is the maximum possible if bandwidth is available and dependent on what and how many services you are using. It is a set value and not an indication of the performance of the network or handset. It's a bit like the speedo in a car, which reads up to a speed that cannot be reached
Globally Unique Temporary Identity is a mix of the mobile operator’s information and the customer’s unique IMSI serial number. 234 is one of the country codes for the UK and 20 is Three. When the handset was turned on it sent to Three its IMSI for authentication to have itself identified. Once authenticated, the network sends a GUTI value through an Attach Accept message. This is used for each session and is not changed by re-booting
Signal strengths are measured in decibels. While transmission power might be given in Watts, how much gets into the air and to the end points spans such huge power differences that you soon end up with more zeros than you can count if you use Watts and milliwatts. Decibels, dB, or dBm for decibel milliwatts and dBW for decibel Watts are much more compact units. You can scale up from very tiny to pretty huge in only a few characters. One of the hardest things to get your head around is the idea of negative numbers. These are used because 1 Watt is 0dBW, so half a Watt can’t be half of zero, it’s -3dBW. It’s a logarithmic scale; 1mW is –30dBW, 10W is 10dBW, 100W is 20dBW, and 1KW is 60dBW. So going from 1mW to 1kW, which is a millionfold difference, can be expressed easily. When you are around radio you have to learn to think in decibels. It’s used for transmit and receive power, losses, antenna gain and all kinds of performance metrics.
Perhaps the hardest part of getting going with Network Signal Guru is rooting. This gives apps root access to the hardware in the device, the highest level of privileges. It’s a dangerous thing to do because it gives apps access to all aspects of the phone. Malware can crawl around and steal your data. If you are rooting a phone to install Network Signal Guru, it’s probably best to have a dedicated device for the job and not keep any personal data on the phone.
To root the phone, the operating system must be modified. Getting access to the operating system means unlocking the bootloader - the software that loads Android into the phone when you switch it on. Different manufacturers have different protocols for doing this. For Xiaomi, you need to join the Mi community and ask for permission. This takes 168 hours (seven days) to be granted. Once unlocked, you can copy the version of Android from the phone to your PC, apply the patches that are necessary to allow Network Signal Guru to access the Qualcomm chips, and then copy the modified software back into the handset by flashing it. You need to understand what you are doing at each of the stages and you must have experience of using DOS command prompts. Get it wrong and you can kill the phone.
A LOT CAN BE LEARNED ABOUT HOW WELL THE NETWORK IS PERFORMING BY INSPECTING THE SIGNALLING PACKETS
The signalling messages in 5G include IMS SIP messages. This is the main signalling protocol for voice-over-IP, but in 4G and 5G, it’s also used by SMS. If you have the paid version of Network Signal Guru, you can pull the traces out and feed them to wireshark. It’s great for debugging. With this sort of trace, you can drill down into the underlying IMS bits and find out what’s going wrong.
One of the features of a 5G measurement report is that it allows the handset to report to the network how good the signal is.
Two of the key parameters that we’re looking for here are the point at which our radio coverage becomes sufficiently strong that we can attach to the network, and then, going the other way, the point at which we drop off the network. We want to have those signal levels and locations plotted so that we can then validate our radio propagation model. Based on those points, we then wind the values in the radio planning tool up and down until they match. You can then whizz around with your handset as you know where the bandwidth’s supposed to be, and just check that it’s there.
This should lead to much more accurate coverage maps. It can also be used to detect malicious cell sites - fake sites put up by criminals for a person-inthe-middle attack to snoop on a user.
James Body
Chief Executive, Telet Research
Plagued by poor mobile coverage in his home, which is nestled in Wiltshire’s Chalke Valley, James Body decided that he really needed his own network. Having been one of the founders of Truphone and an officer in the Royal Signals, and having a can-do
attitude, he set about building one. Telet Research provides connectivity to a number of DCMS projects and is the project lead for Multi Operator Neutral Host, the Wiltshire programme that is already covering his home
