Cell phone GSM tracking using cell towers

Posted by Alex Zaah filed under Cell phone tracking

GSM tracking could either be network based or device based, while the former requires less or no operation from the mobile devices, the latter needs the mobile devices to install certain software and perform the calculating and locating operation and send the data to the location server via GPRS or WiFi or 3G.

Typically, a GSM network consists of mobile stations, cell towers (or base stations), and the network systems.

Mobile stations are mobile devices like cell phones; it has a mobile terminal and a Subscriber Identify Module (SIM).

Base station has two parts, Base Transceiver Station (BTS) and Base Station Controller (BSC).

Network system consists of Mobile-Service Switching Center (MSC), Operation and Maintenance Center (OMC) and a few other devices.

Your handset is constantly connected to the nearest cell tower set up by the carriers (this could vary depending on the mobile maker), and some cell phones can switch to other cell towers which have better signal strength automatically, that’s why they have better call quality. Each cell tower has a unique Cell ID. But it’s not always the case, nowadays a base station usually has three Cell IDs (some could have up to six, in other word six sectors), each covers a third of that area (a 120° sector).

The working range of a cell tower/base stations is determined by a few actors, like the frequency, the transmitter’s rated power and size and height of the antenna, as well as weather conditions. Generally, cell towers are grouped in areas of high population density because each base station is limited by its capacity. In suburban areas, base stations/macro cells are commonly spaced 1-2 miles apart and in dense urban areas, cell towers/micro cells/pico cells may be as close as 200 hundred meters apart or even less, that is, each base station covers an area of a circle with a diameter of 200 meters or less. Pico cells are mostly used in offices, shopping malls, airports etc. In some areas, there are even femtocells in houses to improve the indoor signal strength.

That is why we can use base stations to roughly pinpoint a handset’s location.

How to calculate the location

In order to find the location of a mobile device, you need a few parameters. You can use some mobile apps or enter test mode
to get these parameters.

LAC – Location area code
CID – Cell ID
MCC – Mobile country code
MNC – Mobile network code
CH – Channel, GSM900 ranges 1-124, BC GSM1800 ranges 512~885
TA – Timing advance, usually 0~63
RxL – Signal reception strength, usually -110~0-dBm
TxPwr – power level, usually 0~19

In theory, a cell tower covers an area with a radius of at most 35km (3.7us×63×3×108m/s÷2=35km). To roughly measure the distance from a cell phone to the cell tower connected, we can use TA times 500 (TA * 500). The more accurate distance can be calculated by this formula:

Distance(L)=TA*500+RxL*A+TxPwr*B (A:Attenuation coefficient; B: Transmission coefficient)

You also need a database of the GPS coordinates (latitude, longitude, altitude) of each base station to calculate the distance from the cell tower your cell phone connected to, then you can get a circle and you handset could be anywhere in that circle. But if the cell tower contains three Cell ID (three sectors), the location could be more accurate (see below).

Actually, if you can obtain your LAC and CID, you can find your phone’s rough location (which in fact is the location of the cell site) as well. Google Maps for mobile uses base stations to locate your cell phone too. It has a unique feature called my location, you can view your location even your phone do not have GPS, it use nearby cell towers (three or more for more precise location, see below) to find your location. If you have GPS, Google Maps will acquire the coordinates and other information of your nearby cell sites and upload them to Google severs for location service.

The accuracy depends on the density of cell towers, it varies in a range from some 50 meters to 550 meters, so it’s much less accurate than GPS locating. But it’s still useful at downtown where the density is much higher. When it comes to femtocells, the accuracy is much higher.

Five types of GSM cell tower based mobile tracking

1. TA or CellID+TA. This is what we discussed above.
2. AOA (Angle of Arrival) It’s also widely used in GSM tracking. It’s called triangulation as well, it requires at least two (usually three or more) cell towers to pinpoint a mobile device, and three base station can improve the accuracy. The base station utilize a special antenna array to survey the direction of the signal, and the intersect of the two lines of direction surveyed by two base stations is the location of a cell phone, however, the accuracy decreases when the distance get longer.
3. TOA (Time of Arrival)
4. TDOA (Time Difference of Arrival)
5. E-OTD (Enhanced-Observed Time Difference)

One algorithm by Jared Kells using signal strength to triangulate the position can be found here.

Copyright © 2021 Profone Tracking by Alex Zaah. All Rights Reserved.