GSM as GPS project

Target of the project

The target of the project is to research just how precisely a GSM phone can be used to determine a location of a person carrying the phone.

Recent news has shown that the Dutch police does use the location info as evidence in court. According to this report (In Dutch) a man is believed to be the person who started a fire partly based on the fact that his gsm pinpoints him in the location of the fire at a time before the fire.
This is interesting from a legal standpoint since logs of location of a phone are different from voice taps of a phone. Voice taps are made after permission by the right authorities when there is sufficient reason to believe the person is involved in a crime (at least that's the correct procedure). This kind of information gathering happens after the possible criminal fact has happened (so at the time of the gathering there was no permission to trace the person). The information which is gathered is location data which is fundamentally different from conversation logs.

Same things have happened in the US: a person was found (dead) using cellphone location records (washington post, simple registration required). This story shows that there are location records kept by the phone companies. (Source: comp.risks)

Method

A person carries a GSM phone and a GPS receiver with him. The GSM is set up to output antenna information, the GPS is set up to output location information. The data is logged together by a handheld computer.

Requirements:

Programmatic method

On a regular interval, the current location (GPS) and antenna status combination should be checked whether it changed enough since the last measurement, and if so log it to the logging device.

Data processing

The logged data should be processed, finding data from antenna numbers and strengths relating to the GPS location of the measurement, looking for what the location of the antenna is (using triangulation), calculating the precision of antenna locations and determining how precise the location of a GSM can be calculated from its antenna readings.

First steps

At this moment (13 Nov 2000) I have a Siemens C35i prepay (from the Whepp sweepstake) and I borrowed a datacable. I tried Nobbi Monitor and already got a list of cells. For some reason, the phone changes cells a lot when monitored (Heisenberg principle :)

A report from the cell list: 

11/10/00 10:32:02 AM    12592       3   unknown
11/10/00 10:32:28 AM     2613       3   unknown
11/10/00 10:32:34 AM    12592       3   unknown
11/10/00 10:32:46 AM     2613       3   unknown
11/10/00 10:32:58 AM    -       -       lost service
11/10/00 10:33:02 AM    12592       3   unknown
11/10/00 10:33:16 AM    -       -       lost service
11/10/00 10:33:32 AM     2613       3   unknown
11/10/00 10:33:36 AM    12592       3   unknown
11/10/00 10:33:50 AM    -       -       lost service
11/10/00 10:34:02 AM     2613       3   unknown
11/10/00 10:34:08 AM    12592       3   unknown
That is 2 different cells (12592 and 2613). I don't have a map of which cell number maps to which physical location (maps welcome for libertel.. or any other dutch provider).
And doing this myself from a serial terminal program (ok, loads of docs what to type help):
AT+CREG?                                                                        
+CREG: 0,1,"0003","6F05"
Area 0x0003, Cell number 0x6F05. Repeat until bored :) 
AT+CSQ                                                                          
+CSQ: 13,99
13 = signal level, 99 = bit error rate unknown.

The readings vary a lot. Which makes me wonder how feasible the 'using gsm for determining location' idea is. But the fact that the phone lies on top of a metal desk when it's connected to the computer might influence readings.

More steps

I bought a very cheap data cable (20 guilders) at a computer fair. Inside the computer fair I had a very strong signal with a constant cell number (0xC440) which suggests the fair has an 'internal' cell number.

And something probably got fixed at Libertel since I now have a very constant cell number (12592) at home. Or maybe I should swap simms to see if prepay sims have lesser quality network then subscription sims.

Later developments

The Siemens phone died in the mean time, it became 2005, and I now have a Nokia with bluetooth. And I have a gps unit, sometimes used for wardriving (finding open wireless networks). Logging GSM cell numbers instead of wireless access points should not be that different.

The Nokia is willing to show cell numbers, given an initialization command. After which it will also report when the cell number changes: 

AT+CREG=2
OK
AT+CREG?
+CREG: 2,1,"0021","6E0B"

OK

+CREG: 1,"0021","6E0C"

+CREG: 1,"0021","6E0B"

AT+CSQ
+CSQ: 17,99
And I can ask nicely for the network list.. and wait a bit for the answer 
AT+COPS?
+COPS: 0,2,"20404"

OK
AT+COPS=?
+COPS: (1,"vodafone NL",,"20404"),(3,"O2 - NL",,"20412"),
(3,"NL KPN",,"20408"),(3,"Orange NL",,"20420"),
(3,"T-Mobile NL",,"20416"),,(0,1),(2)

OK
The codes (like 20404) are from the networks, but the descriptions are just what the phone remembers, so that's why it shows the already old name for "O2".

Somebody else gets the same idea

Eventually, somebody else will get the same bright idea. Searching for something completely different, I found GSM cells, mapping CellID to GPS coordinates

Links

Nokia forum AT Command Set For Nokia GSM And W C D M A Products
ITU-T E.212 numbering plan the MCC-MNC codes used for GSM networks
Place Lab: A privacy-observant location system NetMonitor in Nokia phones A method for implementing Mobile Station Location in GSM
Koos van den Hout (koos+website@idefix.net)
Other webprojects: Camp Wireless, wireless Internet access at campsites