locating via GSM, revisited again

Joerg Reisenweber joerg at openmoko.org
Sun Jun 1 01:30:32 CEST 2008

Last weekend I did a little test with German provider O2. As mentioned earlier 
in this thread, they send Gauss-Krueger coords (minus last digit) over 
CBC:221. First reading is the default BS, the other readings were forced cell 
reselect (display 17) and thus also provide a TA value.
Using this info you should be able to track me down to a nice cafe, maybe even 
the table I've been sitting at. ;-) Looking forward to meet you there!
Probably GPS wouldn't get a fix there, though I didn't try. 

ch | CID |sig|TA|Gauss-Krueger (append a 0)
683|48002|-63| 1|364977,548097
696| 6709|-70| 2|364978,548034
711| 8002|-77| 1|364981,548105
645|28928|-83| 2|364883,548122
650| 8303|-85| 3|364912,547947
690|28035|-86| 3|364862,548162
698|28772|-88| 4|364781,548085
637|28002|-77| 1|364985,548097
689|48970|-84| 1|365032,548092
last cell was TA=2 sometime. Due to the complicated manually forced reselect 
process (restart phone :-( ) and taking some minutes to register for some of 
the later cells,  the acquisition of this dataset took pretty much longer 
than half an hour. Anyway a good accuracy should be achievable with the first 
few cells that were rather fast, and automated forced reselection (if 
feasible) can further speed up the whole process reasonably.

Please someone who's good at geographics/maps give it a try and report your 
findings. If I see a nice map with a couple of intersecting ring-segments, 
I'll invite you on a beer there :-)


Am So  20. April 2008 schrieb joerg at openmoko.org:
> This is about getting your actual position, not by means of GPS or WiFi 
> scanning (like http://www.skyhookwireless.com), but by exploiting the 
> information you may get from GSM network fingerprint.
> All the tests were done with an old Nokia 6210.
> Everybody knows you may get information about the serving cell 
> (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With 
> this info, by getting exact geographical data for the BTS, you may describe 
> area nearly the form of a circle with the BS position as center, where your 
> actual location is supposed to be within. The radius of this circle may vary 
> from a few 100 meters to a virtual maximum of 35km, depending on the BTS 
> density (distance between BTS) of the area you are traveling.
> There is not so wellknown further more detailed information you may get from 
> your GSM-modem (MobileStation, MS), which consists of:
> a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS),
> b) The distance to your active BTS, in increments of 550m (Timing Advance, 
> This additional info may be used to dramatically improve the precision of 
> GSM-based location data.
> According to
> http://nobbi.com/download/nmmanual.pdf  p.6,["Display 3 – Serving cell, 1st 
> and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network 
> in OM apartment/Taipei and adjacent areas.
> ****
> Basic BTS and network info [Display 1]:
> ----
> CH:706 RxL:-58 TxPWr:xxx
> TS:0 TA:1 RQ:x RLT:xxxx
> C1:51 C2:51 
> ****
> Basic BTS and network info [Display 11]:
> ----
> MCC:466 MNC:97
> LocAreaCode:(LAC:) 12902
> ServChannel:706
> CellId:19351
> That's quite the data everyone is thinking of when it comes to GSM-location 
> services, like here: http://janus.liebregts.nl/cellid/index_en.html.
> Get the coordinates of BTS ID:19351 and you roughly know where you are.
> Anyway, as described above, this data is not as precise as we would like to 
> see it, giving an area for the current location of about 3 square-km and up 
> a theoretical maximum of ~220 sq-km. Even when taking into calculation the 
> very random signal-strength of the active BTS, the figure isn't much better. 
> Furthermore signal strength reading isn't comparable between different 
> of cellphones due to varying antenna and receiver sensitivity, what makes it 
> almost useless for centralized databases.
> To start with point b), according to http://nobbi.com/glossar.htm#ta we can 
> see from the timing advance value "TA:1" in [Display 1], that we are at a 
> distance to BTS of >(1 x 550m) and <(2 x 550m)
> # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might 
> # mean (0x550) < distance < (1x550) ))
> Anyway, obviously that's _much_better_ than guessing our distance to BTS 
> on some random signal-strength reading, that may jump up and down a 12dB by 
> moving just 1m or mere turning the phones heading.
> To get an actual TA-reading, we have to trigger any communication between MS 
> and BTS. Any command sequence like "*#100#" will do, even when the network 
> answers "not done".
> Now for point a):
> (( I'm concatenating the info of the 3 displays for better reading. All 
> were "N"=normal priority, 1.line is channel, 2.ff lines the signal 
> strength ))
> ****
> Neighbour cells info (NCELL-list) [Display 3-5]:
> ----
> OM apartment, balcony:
> 706__690__704__699__709__681__696__||_700__687
> -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max
> -62__-63__-68__-72__-72__-74__nul__||_nul__nul min
> The max and min readings where obtained by moving the phone ~60cm!
> Channels right of "||" are occasional readings, kicking out some weaker 
> station.
> OM apartment, big dorm (no more max and min, variation was like above):
> 706__699__704__690__701__681__702
> -52__-56__-66__-72__-74__-76__-81
> Front of OM Ap. building
> 706__697__689__692__701__695__693
> -48__-66__-70__-71__-71__-74__-76
> Front of OM Ap. building, 3m away
> 706__689__683__687__697__695__701
> -53__-68__-70__-73__-73__-78__-79
> 50m down he street, near park
> 706__683__692__689__695__697__702
> -49__-79__-79__-79__-82__-82__-82
> 150m direction 101, inside park
> 693__697__681__706__689__699__702
> -71__-73__-73__-74__-76__-77__-85
> From this data, we see it's quite possible to determine location to a 
> precision of around 100 x 100m or even better.
> Of course this depends on the density of BTS again.
> To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated 
> whether we can get he NCEL-list from our GSM-modems.
> Further refinement is possible by using special debug modes of the modem to 
> register with remote neighbour cells and thus get a TA and thus distance 
> reading for them too. ((see http://nobbi.com/download/nmmanual.pdf p.11, 
> ["Display 17 – Switch 'BTS Test' Status"]))
> cheers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
Url : http://lists.openmoko.org/pipermail/openmoko-kernel/attachments/20080601/8c2b9e42/attachment.pgp 

More information about the openmoko-kernel mailing list