locating via GSM, revisited

andrzej zaborowski balrogg at gmail.com
Sun Apr 20 13:29:21 CEST 2008

On 20/04/2008, joerg at openmoko.org <joerg at openmoko.org> wrote:
> This is about getting your actual position, not by means of GPS or WiFi
>  scanning (like http://www.skyhookwireless.com), but by exploiting the
>  information you may get from GSM network fingerprint.
>  All the tests were done with an old Nokia 6210.
>  Everybody knows you may get information about the serving cell
>  (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With
>  this info, by getting exact geographical data for the BTS, you may describe an
>  area nearly the form of a circle with the BS position as center, where your
>  actual location is supposed to be within. The radius of this circle may vary
>  from a few 100 meters to a virtual maximum of 35km, depending on the BTS
>  density (distance between BTS) of the area you are traveling.
>  There is not so wellknown further more detailed information you may get from
>  your GSM-modem (MobileStation, MS), which consists of:
>  a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
>  b) The distance to your active BTS, in increments of 550m (Timing Advance, TA)
>  This additional info may be used to dramatically improve the precision of
>  GSM-based location data.

Wow, didn't know that.  I think the timing advance must be a
understood as the virtual distance the signal has travel, i.e. signal
strength and not the distance we're interested in.  Or might a GSM
modem have a way to know it's physical distance from the BTS? (Maybe
the BTS can know, comparing the Signal-quality the phone sees and the
quality of the signal *from* the phone to BTS, or even talking to
other BTSes)

It would be interesting to see how the three values: RF SQ, TA and GPS
distance correlate.

>  According to
>  http://nobbi.com/download/nmmanual.pdf  p.6,["Display 3 – Serving cell, 1st
>  and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network
>  in OM apartment/Taipei and adjacent areas.
>  ****
>  Basic BTS and network info [Display 1]:
>  ----
>  CH:706 RxL:-58 TxPWr:xxx
>  TS:0 TA:1 RQ:x RLT:xxxx
>  C1:51 C2:51
>  ****
>  Basic BTS and network info [Display 11]:
>  ----
>  MCC:466 MNC:97
>  LocAreaCode:(LAC:) 12902
>  ServChannel:706
>  CellId:19351
>  That's quite the data everyone is thinking of when it comes to GSM-location
>  services, like here: http://janus.liebregts.nl/cellid/index_en.html.
>  Get the coordinates of BTS ID:19351 and you roughly know where you are.
>  Anyway, as described above, this data is not as precise as we would like to
>  see it, giving an area for the current location of about 3 square-km and up to
>  a theoretical maximum of ~220 sq-km. Even when taking into calculation the
>  very random signal-strength of the active BTS, the figure isn't much better.
>  Furthermore signal strength reading isn't comparable between different models
>  of cellphones due to varying antenna and receiver sensitivity, what makes it
>  almost useless for centralized databases.
>  To start with point b), according to http://nobbi.com/glossar.htm#ta we can
>  see from the timing advance value "TA:1" in [Display 1], that we are at a
>  distance to BTS of >(1 x 550m) and <(2 x 550m)
>  # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might
>  # mean (0x550) < distance < (1x550) ))
>  Anyway, obviously that's _much_better_ than guessing our distance to BTS based
>  on some random signal-strength reading, that may jump up and down a 12dB by
>  moving just 1m or mere turning the phones heading.
>  To get an actual TA-reading, we have to trigger any communication between MS
>  and BTS. Any command sequence like "*#100#" will do, even when the network
>  answers "not done".
>  Now for point a):
>  (( I'm concatenating the info of the 3 displays for better reading. All cells
>  were "N"=normal priority, 1.line is channel, 2.ff lines the signal
>  strength ))
>  ****
>  Neighbour cells info (NCELL-list) [Display 3-5]:
>  ----
>  OM apartment, balcony:
>  706__690__704__699__709__681__696__||_700__687
>  -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
>  -62__-63__-68__-72__-72__-74__nul__||_nul__nul min
>  The max and min readings where obtained by moving the phone ~60cm!
>  Channels right of "||" are occasional readings, kicking out some weaker
>  station.
>  OM apartment, big dorm (no more max and min, variation was like above):
>  706__699__704__690__701__681__702
>  -52__-56__-66__-72__-74__-76__-81
>  Front of OM Ap. building
>  706__697__689__692__701__695__693
>  -48__-66__-70__-71__-71__-74__-76
>  Front of OM Ap. building, 3m away
>  706__689__683__687__697__695__701
>  -53__-68__-70__-73__-73__-78__-79
>  50m down he street, near park
>  706__683__692__689__695__697__702
>  -49__-79__-79__-79__-82__-82__-82
>  150m direction 101, inside park
>  693__697__681__706__689__699__702
>  -71__-73__-73__-74__-76__-77__-85
>  From this data, we see it's quite possible to determine location to a
>  precision of around 100 x 100m or even better.
>  Of course this depends on the density of BTS again.
>  To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated
>  whether we can get he NCEL-list from our GSM-modems.

Yes, we can, the info at
came from my GTA01 modem but it works also on the GTA02 modem.  In
we also get the Timing Advance value (called tav).  We need some stats

I'm not sure about forcing a reselection of the station but my guess
would be that there is a command for that also.

Please do not print this email unless absolutely necessary. Spread
environmental awareness.

More information about the openmoko-kernel mailing list