locating via GSM, revisited
andrzej zaborowski
balrogg at gmail.com
Sun Apr 20 13:29:21 CEST 2008
On 20/04/2008, joerg at openmoko.org <joerg at openmoko.org> wrote:
> This is about getting your actual position, not by means of GPS or WiFi
> scanning (like http://www.skyhookwireless.com), but by exploiting the
> information you may get from GSM network fingerprint.
> All the tests were done with an old Nokia 6210.
>
> Everybody knows you may get information about the serving cell
> (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With
> this info, by getting exact geographical data for the BTS, you may describe an
> area nearly the form of a circle with the BS position as center, where your
> actual location is supposed to be within. The radius of this circle may vary
> from a few 100 meters to a virtual maximum of 35km, depending on the BTS
> density (distance between BTS) of the area you are traveling.
>
> There is not so wellknown further more detailed information you may get from
> your GSM-modem (MobileStation, MS), which consists of:
> a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
> b) The distance to your active BTS, in increments of 550m (Timing Advance, TA)
> This additional info may be used to dramatically improve the precision of
> GSM-based location data.
Wow, didn't know that. I think the timing advance must be a
understood as the virtual distance the signal has travel, i.e. signal
strength and not the distance we're interested in. Or might a GSM
modem have a way to know it's physical distance from the BTS? (Maybe
the BTS can know, comparing the Signal-quality the phone sees and the
quality of the signal *from* the phone to BTS, or even talking to
other BTSes)
It would be interesting to see how the three values: RF SQ, TA and GPS
distance correlate.
>
> According to
> http://nobbi.com/download/nmmanual.pdf p.6,["Display 3 – Serving cell, 1st
> and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network
> in OM apartment/Taipei and adjacent areas.
> ****
> Basic BTS and network info [Display 1]:
> ----
> CH:706 RxL:-58 TxPWr:xxx
> TS:0 TA:1 RQ:x RLT:xxxx
> C1:51 C2:51
> CHT:CCCH
>
> ****
> Basic BTS and network info [Display 11]:
> ----
> MCC:466 MNC:97
> LocAreaCode:(LAC:) 12902
> ServChannel:706
> CellId:19351
>
> That's quite the data everyone is thinking of when it comes to GSM-location
> services, like here: http://janus.liebregts.nl/cellid/index_en.html.
> Get the coordinates of BTS ID:19351 and you roughly know where you are.
> Anyway, as described above, this data is not as precise as we would like to
> see it, giving an area for the current location of about 3 square-km and up to
> a theoretical maximum of ~220 sq-km. Even when taking into calculation the
> very random signal-strength of the active BTS, the figure isn't much better.
> Furthermore signal strength reading isn't comparable between different models
> of cellphones due to varying antenna and receiver sensitivity, what makes it
> almost useless for centralized databases.
>
> To start with point b), according to http://nobbi.com/glossar.htm#ta we can
> see from the timing advance value "TA:1" in [Display 1], that we are at a
> distance to BTS of >(1 x 550m) and <(2 x 550m)
> # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might
> # mean (0x550) < distance < (1x550) ))
> Anyway, obviously that's _much_better_ than guessing our distance to BTS based
> on some random signal-strength reading, that may jump up and down a 12dB by
> moving just 1m or mere turning the phones heading.
> To get an actual TA-reading, we have to trigger any communication between MS
> and BTS. Any command sequence like "*#100#" will do, even when the network
> answers "not done".
>
>
> Now for point a):
> (( I'm concatenating the info of the 3 displays for better reading. All cells
> were "N"=normal priority, 1.line is channel, 2.ff lines the signal
> strength ))
>
> ****
> Neighbour cells info (NCELL-list) [Display 3-5]:
> ----
> OM apartment, balcony:
> 706__690__704__699__709__681__696__||_700__687
> -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
> -62__-63__-68__-72__-72__-74__nul__||_nul__nul min
> The max and min readings where obtained by moving the phone ~60cm!
> Channels right of "||" are occasional readings, kicking out some weaker
> station.
>
> OM apartment, big dorm (no more max and min, variation was like above):
> 706__699__704__690__701__681__702
> -52__-56__-66__-72__-74__-76__-81
>
> Front of OM Ap. building
> 706__697__689__692__701__695__693
> -48__-66__-70__-71__-71__-74__-76
>
> Front of OM Ap. building, 3m away
> 706__689__683__687__697__695__701
> -53__-68__-70__-73__-73__-78__-79
>
> 50m down he street, near park
> 706__683__692__689__695__697__702
> -49__-79__-79__-79__-82__-82__-82
>
> 150m direction 101, inside park
> 693__697__681__706__689__699__702
> -71__-73__-73__-74__-76__-77__-85
>
>
> From this data, we see it's quite possible to determine location to a
> precision of around 100 x 100m or even better.
> Of course this depends on the density of BTS again.
>
>
> To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated
> whether we can get he NCEL-list from our GSM-modems.
Yes, we can, the info at
http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Neighbour_Cell_Information_.282.2C3.29
came from my GTA01 modem but it works also on the GTA02 modem. In
http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Serving_Cell_Information_.282.2C1.29
we also get the Timing Advance value (called tav). We need some stats
:)
I'm not sure about forcing a reselection of the station but my guess
would be that there is a command for that also.
Regards
--
Please do not print this email unless absolutely necessary. Spread
environmental awareness.
More information about the openmoko-kernel
mailing list