locating via GSM, revisited

andrzej zaborowski balrogg at gmail.com
Sun Apr 20 13:29:21 CEST 2008


On 20/04/2008, joerg at openmoko.org <joerg at openmoko.org> wrote:
> This is about getting your actual position, not by means of GPS or WiFi
>  scanning (like http://www.skyhookwireless.com), but by exploiting the
>  information you may get from GSM network fingerprint.
>  All the tests were done with an old Nokia 6210.
>
>  Everybody knows you may get information about the serving cell
>  (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With
>  this info, by getting exact geographical data for the BTS, you may describe an
>  area nearly the form of a circle with the BS position as center, where your
>  actual location is supposed to be within. The radius of this circle may vary
>  from a few 100 meters to a virtual maximum of 35km, depending on the BTS
>  density (distance between BTS) of the area you are traveling.
>
>  There is not so wellknown further more detailed information you may get from
>  your GSM-modem (MobileStation, MS), which consists of:
>  a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
>  b) The distance to your active BTS, in increments of 550m (Timing Advance, TA)
>  This additional info may be used to dramatically improve the precision of
>  GSM-based location data.

Wow, didn't know that.  I think the timing advance must be a
understood as the virtual distance the signal has travel, i.e. signal
strength and not the distance we're interested in.  Or might a GSM
modem have a way to know it's physical distance from the BTS? (Maybe
the BTS can know, comparing the Signal-quality the phone sees and the
quality of the signal *from* the phone to BTS, or even talking to
other BTSes)

It would be interesting to see how the three values: RF SQ, TA and GPS
distance correlate.

>
>  According to
>  http://nobbi.com/download/nmmanual.pdf  p.6,["Display 3 – Serving cell, 1st
>  and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network
>  in OM apartment/Taipei and adjacent areas.
>  ****
>  Basic BTS and network info [Display 1]:
>  ----
>  CH:706 RxL:-58 TxPWr:xxx
>  TS:0 TA:1 RQ:x RLT:xxxx
>  C1:51 C2:51
>  CHT:CCCH
>
>  ****
>  Basic BTS and network info [Display 11]:
>  ----
>  MCC:466 MNC:97
>  LocAreaCode:(LAC:) 12902
>  ServChannel:706
>  CellId:19351
>
>  That's quite the data everyone is thinking of when it comes to GSM-location
>  services, like here: http://janus.liebregts.nl/cellid/index_en.html.
>  Get the coordinates of BTS ID:19351 and you roughly know where you are.
>  Anyway, as described above, this data is not as precise as we would like to
>  see it, giving an area for the current location of about 3 square-km and up to
>  a theoretical maximum of ~220 sq-km. Even when taking into calculation the
>  very random signal-strength of the active BTS, the figure isn't much better.
>  Furthermore signal strength reading isn't comparable between different models
>  of cellphones due to varying antenna and receiver sensitivity, what makes it
>  almost useless for centralized databases.
>
>  To start with point b), according to http://nobbi.com/glossar.htm#ta we can
>  see from the timing advance value "TA:1" in [Display 1], that we are at a
>  distance to BTS of >(1 x 550m) and <(2 x 550m)
>  # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might
>  # mean (0x550) < distance < (1x550) ))
>  Anyway, obviously that's _much_better_ than guessing our distance to BTS based
>  on some random signal-strength reading, that may jump up and down a 12dB by
>  moving just 1m or mere turning the phones heading.
>  To get an actual TA-reading, we have to trigger any communication between MS
>  and BTS. Any command sequence like "*#100#" will do, even when the network
>  answers "not done".
>
>
>  Now for point a):
>  (( I'm concatenating the info of the 3 displays for better reading. All cells
>  were "N"=normal priority, 1.line is channel, 2.ff lines the signal
>  strength ))
>
>  ****
>  Neighbour cells info (NCELL-list) [Display 3-5]:
>  ----
>  OM apartment, balcony:
>  706__690__704__699__709__681__696__||_700__687
>  -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
>  -62__-63__-68__-72__-72__-74__nul__||_nul__nul min
>  The max and min readings where obtained by moving the phone ~60cm!
>  Channels right of "||" are occasional readings, kicking out some weaker
>  station.
>
>  OM apartment, big dorm (no more max and min, variation was like above):
>  706__699__704__690__701__681__702
>  -52__-56__-66__-72__-74__-76__-81
>
>  Front of OM Ap. building
>  706__697__689__692__701__695__693
>  -48__-66__-70__-71__-71__-74__-76
>
>  Front of OM Ap. building, 3m away
>  706__689__683__687__697__695__701
>  -53__-68__-70__-73__-73__-78__-79
>
>  50m down he street, near park
>  706__683__692__689__695__697__702
>  -49__-79__-79__-79__-82__-82__-82
>
>  150m direction 101, inside park
>  693__697__681__706__689__699__702
>  -71__-73__-73__-74__-76__-77__-85
>
>
>  From this data, we see it's quite possible to determine location to a
>  precision of around 100 x 100m or even better.
>  Of course this depends on the density of BTS again.
>
>
>  To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated
>  whether we can get he NCEL-list from our GSM-modems.

Yes, we can, the info at
http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Neighbour_Cell_Information_.282.2C3.29
came from my GTA01 modem but it works also on the GTA02 modem.  In
http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Serving_Cell_Information_.282.2C1.29
we also get the Timing Advance value (called tav).  We need some stats
:)

I'm not sure about forcing a reselection of the station but my guess
would be that there is a command for that also.

Regards
-- 
Please do not print this email unless absolutely necessary. Spread
environmental awareness.


More information about the openmoko-kernel mailing list