locating via GSM, revisited

joerg at openmoko.org joerg at openmoko.org
Sun Apr 20 12:09:46 CEST 2008

This is about getting your actual position, not by means of GPS or WiFi 
scanning (like http://www.skyhookwireless.com), but by exploiting the 
information you may get from GSM network fingerprint.
All the tests were done with an old Nokia 6210.

Everybody knows you may get information about the serving cell 
(BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With 
this info, by getting exact geographical data for the BTS, you may describe an 
area nearly the form of a circle with the BS position as center, where your 
actual location is supposed to be within. The radius of this circle may vary 
from a few 100 meters to a virtual maximum of 35km, depending on the BTS 
density (distance between BTS) of the area you are traveling.

There is not so wellknown further more detailed information you may get from 
your GSM-modem (MobileStation, MS), which consists of:
a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
b) The distance to your active BTS, in increments of 550m (Timing Advance, TA)
This additional info may be used to dramatically improve the precision of 
GSM-based location data.

According to
http://nobbi.com/download/nmmanual.pdf  p.6,["Display 3 – Serving cell, 1st 
and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network 
in OM apartment/Taipei and adjacent areas.
Basic BTS and network info [Display 1]:
CH:706 RxL:-58 TxPWr:xxx
TS:0 TA:1 RQ:x RLT:xxxx
C1:51 C2:51 

Basic BTS and network info [Display 11]:
MCC:466 MNC:97
LocAreaCode:(LAC:) 12902

That's quite the data everyone is thinking of when it comes to GSM-location 
services, like here: http://janus.liebregts.nl/cellid/index_en.html.
Get the coordinates of BTS ID:19351 and you roughly know where you are.
Anyway, as described above, this data is not as precise as we would like to 
see it, giving an area for the current location of about 3 square-km and up to 
a theoretical maximum of ~220 sq-km. Even when taking into calculation the 
very random signal-strength of the active BTS, the figure isn't much better. 
Furthermore signal strength reading isn't comparable between different models 
of cellphones due to varying antenna and receiver sensitivity, what makes it 
almost useless for centralized databases.

To start with point b), according to http://nobbi.com/glossar.htm#ta we can 
see from the timing advance value "TA:1" in [Display 1], that we are at a 
distance to BTS of >(1 x 550m) and <(2 x 550m)
# ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might 
# mean (0x550) < distance < (1x550) ))
Anyway, obviously that's _much_better_ than guessing our distance to BTS based 
on some random signal-strength reading, that may jump up and down a 12dB by 
moving just 1m or mere turning the phones heading.
To get an actual TA-reading, we have to trigger any communication between MS 
and BTS. Any command sequence like "*#100#" will do, even when the network 
answers "not done".

Now for point a):
(( I'm concatenating the info of the 3 displays for better reading. All cells 
were "N"=normal priority, 1.line is channel, 2.ff lines the signal 
strength ))

Neighbour cells info (NCELL-list) [Display 3-5]:
OM apartment, balcony:
-35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
-62__-63__-68__-72__-72__-74__nul__||_nul__nul min
The max and min readings where obtained by moving the phone ~60cm!
Channels right of "||" are occasional readings, kicking out some weaker 

OM apartment, big dorm (no more max and min, variation was like above):

Front of OM Ap. building

Front of OM Ap. building, 3m away

50m down he street, near park

150m direction 101, inside park

From this data, we see it's quite possible to determine location to a 
precision of around 100 x 100m or even better.
Of course this depends on the density of BTS again.

To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated 
whether we can get he NCEL-list from our GSM-modems.

Further refinement is possible by using special debug modes of the modem to 
register with remote neighbour cells and thus get a TA and thus distance 
reading for them too. ((see http://nobbi.com/download/nmmanual.pdf p.11, 
["Display 17 – Switch 'BTS Test' Status"]))


More information about the openmoko-kernel mailing list