locating via GSM, revisited

Fabian Off fabian2de-mailinglisten at yahoo.de
Wed Apr 23 21:41:17 CEST 2008

Hey Guys!
I just read through all of of your mails and searched on the net if no one
else has had this idea before :) And well, there are two guys having done
this for symbian. At [1] I collected links to documents written by them.
The project seems pretty great! It was a final year project for the
university of hong kong, and what they write seems to me preety successful
as they were able to provide exact positions based on gsm-only information!

[1]: http://www.off-online.net

joerg at openmoko.org wrote:

> This is about getting your actual position, not by means of GPS or WiFi
> scanning (like http://www.skyhookwireless.com), but by exploiting the
> information you may get from GSM network fingerprint.
> All the tests were done with an old Nokia 6210.
> Everybody knows you may get information about the serving cell
> (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS).
> With this info, by getting exact geographical data for the BTS, you may
> describe an area nearly the form of a circle with the BS position as
> center, where your actual location is supposed to be within. The radius of
> this circle may vary from a few 100 meters to a virtual maximum of 35km,
> depending on the BTS density (distance between BTS) of the area you are
> traveling.
> There is not so wellknown further more detailed information you may get
> from your GSM-modem (MobileStation, MS), which consists of:
> a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal
> BTS), b) The distance to your active BTS, in increments of 550m (Timing
> Advance, TA) This additional info may be used to dramatically improve the
> precision of GSM-based location data.
> According to
> http://nobbi.com/download/nmmanual.pdf  p.6,["Display 3 – Serving cell,
> 1st and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's
> network in OM apartment/Taipei and adjacent areas.
> ****
> Basic BTS and network info [Display 1]:
> ----
> CH:706 RxL:-58 TxPWr:xxx
> TS:0 TA:1 RQ:x RLT:xxxx
> C1:51 C2:51
> ****
> Basic BTS and network info [Display 11]:
> ----
> MCC:466 MNC:97
> LocAreaCode:(LAC:) 12902
> ServChannel:706
> CellId:19351
> That's quite the data everyone is thinking of when it comes to
> GSM-location services, like here:
> http://janus.liebregts.nl/cellid/index_en.html. Get the coordinates of BTS
> ID:19351 and you roughly know where you are. Anyway, as described above,
> this data is not as precise as we would like to see it, giving an area for
> the current location of about 3 square-km and up to a theoretical maximum
> of ~220 sq-km. Even when taking into calculation the very random
> signal-strength of the active BTS, the figure isn't much better.
> Furthermore signal strength reading isn't comparable between different
> models of cellphones due to varying antenna and receiver sensitivity, what
> makes it almost useless for centralized databases.
> To start with point b), according to http://nobbi.com/glossar.htm#ta we
> can see from the timing advance value "TA:1" in [Display 1], that we are
> at a distance to BTS of >(1 x 550m) and <(2 x 550m)
> # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1"
> # might mean (0x550) < distance < (1x550) ))
> Anyway, obviously that's _much_better_ than guessing our distance to BTS
> based on some random signal-strength reading, that may jump up and down a
> 12dB by moving just 1m or mere turning the phones heading.
> To get an actual TA-reading, we have to trigger any communication between
> MS and BTS. Any command sequence like "*#100#" will do, even when the
> network answers "not done".
> Now for point a):
> (( I'm concatenating the info of the 3 displays for better reading. All
> cells were "N"=normal priority, 1.line is channel, 2.ff lines the signal
> strength ))
> ****
> Neighbour cells info (NCELL-list) [Display 3-5]:
> ----
> OM apartment, balcony:
> 706__690__704__699__709__681__696__||_700__687
> -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
> -62__-63__-68__-72__-72__-74__nul__||_nul__nul min
> The max and min readings where obtained by moving the phone ~60cm!
> Channels right of "||" are occasional readings, kicking out some weaker
> station.
> OM apartment, big dorm (no more max and min, variation was like above):
> 706__699__704__690__701__681__702
> -52__-56__-66__-72__-74__-76__-81
> Front of OM Ap. building
> 706__697__689__692__701__695__693
> -48__-66__-70__-71__-71__-74__-76
> Front of OM Ap. building, 3m away
> 706__689__683__687__697__695__701
> -53__-68__-70__-73__-73__-78__-79
> 50m down he street, near park
> 706__683__692__689__695__697__702
> -49__-79__-79__-79__-82__-82__-82
> 150m direction 101, inside park
> 693__697__681__706__689__699__702
> -71__-73__-73__-74__-76__-77__-85
> From this data, we see it's quite possible to determine location to a
> precision of around 100 x 100m or even better.
> Of course this depends on the density of BTS again.
> To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated
> whether we can get he NCEL-list from our GSM-modems.
> Further refinement is possible by using special debug modes of the modem
> to register with remote neighbour cells and thus get a TA and thus
> distance reading for them too. ((see
> http://nobbi.com/download/nmmanual.pdf p.11,
> ["Display 17 – Switch 'BTS Test' Status"]))
> cheers

More information about the openmoko-kernel mailing list