locating via GSM, revisited
joerg at openmoko.org
joerg at openmoko.org
Sun Apr 20 12:09:46 CEST 2008
This is about getting your actual position, not by means of GPS or WiFi
scanning (like http://www.skyhookwireless.com), but by exploiting the
information you may get from GSM network fingerprint.
All the tests were done with an old Nokia 6210.
Everybody knows you may get information about the serving cell
(BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With
this info, by getting exact geographical data for the BTS, you may describe an
area nearly the form of a circle with the BS position as center, where your
actual location is supposed to be within. The radius of this circle may vary
from a few 100 meters to a virtual maximum of 35km, depending on the BTS
density (distance between BTS) of the area you are traveling.
There is not so wellknown further more detailed information you may get from
your GSM-modem (MobileStation, MS), which consists of:
a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
b) The distance to your active BTS, in increments of 550m (Timing Advance, TA)
This additional info may be used to dramatically improve the precision of
GSM-based location data.
According to
http://nobbi.com/download/nmmanual.pdf p.6,["Display 3 – Serving cell, 1st
and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network
in OM apartment/Taipei and adjacent areas.
****
Basic BTS and network info [Display 1]:
----
CH:706 RxL:-58 TxPWr:xxx
TS:0 TA:1 RQ:x RLT:xxxx
C1:51 C2:51
CHT:CCCH
****
Basic BTS and network info [Display 11]:
----
MCC:466 MNC:97
LocAreaCode:(LAC:) 12902
ServChannel:706
CellId:19351
That's quite the data everyone is thinking of when it comes to GSM-location
services, like here: http://janus.liebregts.nl/cellid/index_en.html.
Get the coordinates of BTS ID:19351 and you roughly know where you are.
Anyway, as described above, this data is not as precise as we would like to
see it, giving an area for the current location of about 3 square-km and up to
a theoretical maximum of ~220 sq-km. Even when taking into calculation the
very random signal-strength of the active BTS, the figure isn't much better.
Furthermore signal strength reading isn't comparable between different models
of cellphones due to varying antenna and receiver sensitivity, what makes it
almost useless for centralized databases.
To start with point b), according to http://nobbi.com/glossar.htm#ta we can
see from the timing advance value "TA:1" in [Display 1], that we are at a
distance to BTS of >(1 x 550m) and <(2 x 550m)
# ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might
# mean (0x550) < distance < (1x550) ))
Anyway, obviously that's _much_better_ than guessing our distance to BTS based
on some random signal-strength reading, that may jump up and down a 12dB by
moving just 1m or mere turning the phones heading.
To get an actual TA-reading, we have to trigger any communication between MS
and BTS. Any command sequence like "*#100#" will do, even when the network
answers "not done".
Now for point a):
(( I'm concatenating the info of the 3 displays for better reading. All cells
were "N"=normal priority, 1.line is channel, 2.ff lines the signal
strength ))
****
Neighbour cells info (NCELL-list) [Display 3-5]:
----
OM apartment, balcony:
706__690__704__699__709__681__696__||_700__687
-35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
-62__-63__-68__-72__-72__-74__nul__||_nul__nul min
The max and min readings where obtained by moving the phone ~60cm!
Channels right of "||" are occasional readings, kicking out some weaker
station.
OM apartment, big dorm (no more max and min, variation was like above):
706__699__704__690__701__681__702
-52__-56__-66__-72__-74__-76__-81
Front of OM Ap. building
706__697__689__692__701__695__693
-48__-66__-70__-71__-71__-74__-76
Front of OM Ap. building, 3m away
706__689__683__687__697__695__701
-53__-68__-70__-73__-73__-78__-79
50m down he street, near park
706__683__692__689__695__697__702
-49__-79__-79__-79__-82__-82__-82
150m direction 101, inside park
693__697__681__706__689__699__702
-71__-73__-73__-74__-76__-77__-85
From this data, we see it's quite possible to determine location to a
precision of around 100 x 100m or even better.
Of course this depends on the density of BTS again.
To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated
whether we can get he NCEL-list from our GSM-modems.
Further refinement is possible by using special debug modes of the modem to
register with remote neighbour cells and thus get a TA and thus distance
reading for them too. ((see http://nobbi.com/download/nmmanual.pdf p.11,
["Display 17 – Switch 'BTS Test' Status"]))
cheers
jOERG
More information about the openmoko-kernel
mailing list