This is about getting your actual position, not by means of GPS or WiFi scanning (like http://www.skyhookwireless.com), but by exploiting the information you may get from GSM network fingerprint. All the tests were done with an old Nokia 6210.
Everybody knows you may get information about the serving cell (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With this info, by getting exact geographical data for the BTS, you may describe an area nearly the form of a circle with the BS position as center, where your actual location is supposed to be within. The radius of this circle may vary from a few 100 meters to a virtual maximum of 35km, depending on the BTS density (distance between BTS) of the area you are traveling. There is not so wellknown further more detailed information you may get from your GSM-modem (MobileStation, MS), which consists of: a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS), b) The distance to your active BTS, in increments of 550m (Timing Advance, TA) This additional info may be used to dramatically improve the precision of GSM-based location data. According to http://nobbi.com/download/nmmanual.pdf p.6,["Display 3 – Serving cell, 1st and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network in OM apartment/Taipei and adjacent areas. **** Basic BTS and network info [Display 1]: ---- CH:706 RxL:-58 TxPWr:xxx TS:0 TA:1 RQ:x RLT:xxxx C1:51 C2:51 CHT:CCCH **** Basic BTS and network info [Display 11]: ---- MCC:466 MNC:97 LocAreaCode:(LAC:) 12902 ServChannel:706 CellId:19351 That's quite the data everyone is thinking of when it comes to GSM-location services, like here: http://janus.liebregts.nl/cellid/index_en.html. Get the coordinates of BTS ID:19351 and you roughly know where you are. Anyway, as described above, this data is not as precise as we would like to see it, giving an area for the current location of about 3 square-km and up to a theoretical maximum of ~220 sq-km. Even when taking into calculation the very random signal-strength of the active BTS, the figure isn't much better. Furthermore signal strength reading isn't comparable between different models of cellphones due to varying antenna and receiver sensitivity, what makes it almost useless for centralized databases. To start with point b), according to http://nobbi.com/glossar.htm#ta we can see from the timing advance value "TA:1" in [Display 1], that we are at a distance to BTS of >(1 x 550m) and <(2 x 550m) # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might # mean (0x550) < distance < (1x550) )) Anyway, obviously that's _much_better_ than guessing our distance to BTS based on some random signal-strength reading, that may jump up and down a 12dB by moving just 1m or mere turning the phones heading. To get an actual TA-reading, we have to trigger any communication between MS and BTS. Any command sequence like "*#100#" will do, even when the network answers "not done". Now for point a): (( I'm concatenating the info of the 3 displays for better reading. All cells were "N"=normal priority, 1.line is channel, 2.ff lines the signal strength )) **** Neighbour cells info (NCELL-list) [Display 3-5]: ---- OM apartment, balcony: 706__690__704__699__709__681__696__||_700__687 -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max -62__-63__-68__-72__-72__-74__nul__||_nul__nul min The max and min readings where obtained by moving the phone ~60cm! Channels right of "||" are occasional readings, kicking out some weaker station. OM apartment, big dorm (no more max and min, variation was like above): 706__699__704__690__701__681__702 -52__-56__-66__-72__-74__-76__-81 Front of OM Ap. building 706__697__689__692__701__695__693 -48__-66__-70__-71__-71__-74__-76 Front of OM Ap. building, 3m away 706__689__683__687__697__695__701 -53__-68__-70__-73__-73__-78__-79 50m down he street, near park 706__683__692__689__695__697__702 -49__-79__-79__-79__-82__-82__-82 150m direction 101, inside park 693__697__681__706__689__699__702 -71__-73__-73__-74__-76__-77__-85 From this data, we see it's quite possible to determine location to a precision of around 100 x 100m or even better. Of course this depends on the density of BTS again. To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated whether we can get he NCEL-list from our GSM-modems. Further refinement is possible by using special debug modes of the modem to register with remote neighbour cells and thus get a TA and thus distance reading for them too. ((see http://nobbi.com/download/nmmanual.pdf p.11, ["Display 17 – Switch 'BTS Test' Status"])) cheers jOERG
