On 20/04/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > This is about getting your actual position, not by means of GPS or WiFi > scanning (like http://www.skyhookwireless.com), but by exploiting the > information you may get from GSM network fingerprint. > All the tests were done with an old Nokia 6210. > > Everybody knows you may get information about the serving cell > (BaseTransmitterStation, BTS) from your GSM-modem (MobileStation, MS). With > this info, by getting exact geographical data for the BTS, you may describe > an > area nearly the form of a circle with the BS position as center, where your > actual location is supposed to be within. The radius of this circle may vary > from a few 100 meters to a virtual maximum of 35km, depending on the BTS > density (distance between BTS) of the area you are traveling. > > There is not so wellknown further more detailed information you may get from > your GSM-modem (MobileStation, MS), which consists of: > a) The (usually) 6 next nearby BTS (to be correct: next best RF-signal BTS), > b) The distance to your active BTS, in increments of 550m (Timing Advance, > TA) > This additional info may be used to dramatically improve the precision of > GSM-based location data.
Wow, didn't know that. I think the timing advance must be a understood as the virtual distance the signal has travel, i.e. signal strength and not the distance we're interested in. Or might a GSM modem have a way to know it's physical distance from the BTS? (Maybe the BTS can know, comparing the Signal-quality the phone sees and the quality of the signal *from* the phone to BTS, or even talking to other BTSes) It would be interesting to see how the three values: RF SQ, TA and GPS distance correlate. > > According to > http://nobbi.com/download/nmmanual.pdf p.6,["Display 3 – Serving cell, 1st > and 2nd neighbour", ff.], I did some probes on "TWN GSM" provider's network > in OM apartment/Taipei and adjacent areas. > **** > Basic BTS and network info [Display 1]: > ---- > CH:706 RxL:-58 TxPWr:xxx > TS:0 TA:1 RQ:x RLT:xxxx > C1:51 C2:51 > CHT:CCCH > > **** > Basic BTS and network info [Display 11]: > ---- > MCC:466 MNC:97 > LocAreaCode:(LAC:) 12902 > ServChannel:706 > CellId:19351 > > That's quite the data everyone is thinking of when it comes to GSM-location > services, like here: http://janus.liebregts.nl/cellid/index_en.html. > Get the coordinates of BTS ID:19351 and you roughly know where you are. > Anyway, as described above, this data is not as precise as we would like to > see it, giving an area for the current location of about 3 square-km and up > to > a theoretical maximum of ~220 sq-km. Even when taking into calculation the > very random signal-strength of the active BTS, the figure isn't much better. > Furthermore signal strength reading isn't comparable between different models > of cellphones due to varying antenna and receiver sensitivity, what makes it > almost useless for centralized databases. > > To start with point b), according to http://nobbi.com/glossar.htm#ta we can > see from the timing advance value "TA:1" in [Display 1], that we are at a > distance to BTS of >(1 x 550m) and <(2 x 550m) > # ((please note: I'm not sure this is base:0 or base:1, so this "TA:1" might > # mean (0x550) < distance < (1x550) )) > Anyway, obviously that's _much_better_ than guessing our distance to BTS > based > on some random signal-strength reading, that may jump up and down a 12dB by > moving just 1m or mere turning the phones heading. > To get an actual TA-reading, we have to trigger any communication between MS > and BTS. Any command sequence like "*#100#" will do, even when the network > answers "not done". > > > Now for point a): > (( I'm concatenating the info of the 3 displays for better reading. All cells > were "N"=normal priority, 1.line is channel, 2.ff lines the signal > strength )) > > **** > Neighbour cells info (NCELL-list) [Display 3-5]: > ---- > OM apartment, balcony: > 706__690__704__699__709__681__696__||_700__687 > -35__-54__-54__-47__-58__-56__-72__||_-50__-?- max > -62__-63__-68__-72__-72__-74__nul__||_nul__nul min > The max and min readings where obtained by moving the phone ~60cm! > Channels right of "||" are occasional readings, kicking out some weaker > station. > > OM apartment, big dorm (no more max and min, variation was like above): > 706__699__704__690__701__681__702 > -52__-56__-66__-72__-74__-76__-81 > > Front of OM Ap. building > 706__697__689__692__701__695__693 > -48__-66__-70__-71__-71__-74__-76 > > Front of OM Ap. building, 3m away > 706__689__683__687__697__695__701 > -53__-68__-70__-73__-73__-78__-79 > > 50m down he street, near park > 706__683__692__689__695__697__702 > -49__-79__-79__-79__-82__-82__-82 > > 150m direction 101, inside park > 693__697__681__706__689__699__702 > -71__-73__-73__-74__-76__-77__-85 > > > From this data, we see it's quite possible to determine location to a > precision of around 100 x 100m or even better. > Of course this depends on the density of BTS again. > > > To use this approach with GTA02 or GTA04/Diversity, it has to be evaluated > whether we can get he NCEL-list from our GSM-modems. Yes, we can, the info at http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Neighbour_Cell_Information_.282.2C3.29 came from my GTA01 modem but it works also on the GTA02 modem. In http://wiki.openmoko.org/wiki/GTA01_gsm_modem#Serving_Cell_Information_.282.2C1.29 we also get the Timing Advance value (called tav). We need some stats :) I'm not sure about forcing a reselection of the station but my guess would be that there is a command for that also. Regards -- Please do not print this email unless absolutely necessary. Spread environmental awareness.
