GSM tracking could either be network based or device based, while the former requires less or no operation from the mobile devices, the latter needs the mobile devices to install certain software and perform the calculating and locating operation and send the data to the location server via GPRS or WiFi or 3G.

Typically, a GSM network consists of mobile stations, cell towers (or base stations), and the network systems.

Mobile stations are mobile devices like cell phones; it consists of a mobile terminal and a Subscriber Identify Module (SIM).

Base station consists of Base Transceiver Station (BTS) and Base Station Controller (BSC).

Network system consists of Mobile-Service Switching Center (MSC), Operation and Maintenance Center (OMC) and a few other devices.

Your cell phone is constantly connected to the nearest cell tower set up by the carriers, and some cell phones can switch to other cell tower which have better signal strength automatically, that’s why they have better call quality. Each cell tower has a unique Cell ID. But it’s not always the case, sometimes you can find a base station has three Cell IDs, each covers a third of that area (a 120° sector).

The working range of a cell tower/base stations is determined by a few actors, like the frequency, the transmitter’s rated power and size, as well as weather conditions. Generally, cell towers are grouped in areas of high population density because each base station is limited by its capacity. In suburban areas, base stations are commonly spaced 1-2 miles apart and in dense urban areas, cell towers s may be as close as 200 hundred meters apart or even less, that is, each base station covers an area of a circle with a diameter of 200 meters or less.

That is why we can use base stations to roughly locate a cell phone.

How to calculate the location

In order to find the location of a cell phone, you need a few parameters. You can use some mobile apps or enter test mode
to get these parameters.

LAC – Location area code
CID – Cell ID
MCC – Mobile country code
MNC – Mobile network code
CH – Channel, GSM900 ranges 1-124, BC GSM1800 ranges 512~885
TA – Timing advance, usually 0~63
RxL – Signal reception strength, usually -110~!0-dBm
TxPwr – power level, usually 0~19

Generally TA times 500 equals your cell phone distance to the cell tower. The more exact distance can be calculated by this formula:

Distance(L)=TA*500+RxL*A+TxPwr*B

You also need a database of the GPS coordinates (latitude, longitude, altitude) of each base station to calculate the distance from the cell tower your cell phone connected to, then you can get a circle and you cell phone could be anywhere in that circle. But if the cell tower contains three Cell ID, the location could be more accurate (see below).

Actually, if you can obtain your LAC and CID, you can find your rough location as well. In fact Google Maps for mobile uses base stations to locate your cell phone as well, it has a unique feature called my location, you can view your location even you do not have GPS, it use nearby cell towers (three or more for more exact location) to find your location. If you have GPS, Google Maps will acquire the coordinates and other information of your nearby GPS and upload them to Google location servers.

The accuracy depends on the density of cell towers, it varies in a range from some 50 meters to 550 meters, so it’s much less accurate than GPS locating. But it’s still useful at downtown where the density is much higher.

Five types of GSM cell tower based cell phone tracking

1. TA or CellID+TA. This is what we discussed above.
2. AOA (Angle of Arrival) It’s also widely used in GSM tracking, it’s called triangulation as well, it requires at least two (usually three) cell towers to locate a cell phone, and three base station can improve the accuracy. The base station utilize a special antenna array to survey the direction of the signal, and the intersect of the two lines of direction surveyed by two base stations is the location of a cell phone, however, the accuracy decreases when the distance get longer.
3. TOA (Time of Arrival)
4. TDOA (Time Difference of Arrival)
5. E-OTD (Enhanced-Observed Time Difference)

Related posts

• How to find CellID and LAC in BlackBerry phone
• Cell phone tracking is everywhere
• Track cell phone or PC online using Profone trackers
• Comparison of three cell phone location tracking techniques
• Top seven free cell phone tracking software
• Android phone tracking apps roundup
• Find Android phone CellID and LAC using test mode
• Android anti-theft app Gotya helps identify the thief
• View network coverage using OpenSignalMaps heat map
• Catch a cheating spouse using Boyfriend Log