Geolocation Experiment using the Mobile GSM Cellular Network

This experiment involved acquiring CellID and signal strength information from the GSM cellular network, tracking one's position while acquiring this data, and finally presenting it nicely. It is summarised in the following pictures (full details are described in the sub-sections found top-left):

Hardware:

Mapping position and signal strength measurements:

Mobile state (including CellID):

Hardware

An old Nokia mobile with DCT-3 firmware (for network monitor mode) is required. The phone needs to be connected to a computer via its FBUS serial interface, so some level conversion hardware is also required. Since most modern laptops do not have an external serial port, an RS-232 to USB converter is also a good idea.

An old battery was used to interface with the phone. The cell itself was removed, along with the battery interface board, leaving (as you might imagine) just the case itself. Holes were drilled into the bottom of the case above the MBUS/FBUS pads on the phone, and small metal contacts were placed in the holes to complete the circuit:

Note: the following picture from early in the experiment demonstrates powering the battery's original control circuit (so the mobile thinks it is still connected to a cell), such as found here. This is not a good idea, as a voltage difference is created between 'battery ground' and 'FBUS ground'. This configuration often causes the phone to switch off when attempting to transmit (probably to save itself from an overload), and has not been used. Instead the battery's control circuit should be removed and connections should be made to the phone's battery terminals directly (e.g. like this). In effect the phone will think it's on a test stand receiving a constant DC supply, and switch off its battery charging circuitry (see below).

Once the phone's battery terminals are directly connected to (I just had some wire going through the battery case and wrapped around the four contacts), the correct resistors need to be chosen so the phone will think it is connected to a service battery:

Finally, to make sure it works, you can fire up N-Monitor and see if your computer and phone can communicate:

Collecting the data

Two streams of data are of interest: trace information from the mobile and position information from a GPS receiver.

To acquire position information, I used a commercial Navman device, which was modified to boot into WinCE and transmit NMEA data over a TCP connection (via Bluetooth Dial-Up Networking and GPS2Blue) to a virtual serial port on my laptop, which in turn was connected to gpsd. Full details can be found here.

To enable network monitor mode and receive trace information from the mobile, gammu is the way to go. Thanks to 'wumpus' and the protocol/packet dissection available at Project Blacksphere, gammu's 'nokiadebug' mode will enable a computer to receive information on what the phone is doing (note: trace data only applies to your phone only, no one else's, so don't get any ideas...).

A sample (pretty-printed) trace is as follows:

<1811> MDI:m2d/NMEAS_INSTRUCTIONS
t=0a4f nr=6e: D 11: 03 07 11 65 00 a2 00 65 01 00 00 00
<2413> (0/0623)
t=0a4f nr=6f:
<240E> L2:prim/RR<-:UNIT_DATA_IND(0/05EB)
t=0a4f nr=70:
<1980> MDI:d2m/RECEIVED_BLOCK
t=0a95 nr=71: D 80: ch=50 bsic=7 err=0 t=23DBD6 arfcn=101 shift=4453
Length : used=18 ID=1
Inform : [06 1b 54 93 05 f5 30 07 d6 c8 04 14 14 63 00 51 00 00]
  Radio Resources management messages (GSM 04.18)
  SYSTEM INFORMATION TYPE 3 (9.1.35)
<255A> Unknown
t=0a95 nr=72: 03 f9
<1983> MDI:d2m/RSSI_RESULTS
t=0afe nr=73: D 83: 00 00 b1 b1 00 65 ab a3 b1 a0 a0 a6 9d a1 80 a4 80 80 80 80 80 80 80 aa
<1999> MDI:d2m/TXC_BIAS_MEAS
t=0afe nr=74: D 99: 00
<184A> MDI:m2d/TXC_BIAS_RESULT
t=0afe nr=75: D 4A: 01 30 14 50
<1811> MDI:m2d/NMEAS_INSTRUCTIONS
t=0aff nr=76: D 11: 03 22 0d 3c 00 93 00 5a 01 00 00 00
<1980> MDI:d2m/RECEIVED_BLOCK
t=0b1f nr=77: D 80: ch=50 bsic=34 err=0 t=23DCC6 arfcn=90 shift=3388
Length : used=16 ID=1
Inform : [06 1c 05 f5 30 07 d5 63 00 51 00 00 64 51 40 5a]
  Radio Resources management messages (GSM 04.18)
  SYSTEM INFORMATION TYPE 4 (9.1.36)

The packets sent to and received from the network are also logged in XML format, which can then be read by Wireshark:

To enable the trace information to be streamed into the final mapping application, I modified gammu by adding a TCP server, which allows clients to connect and receive the raw trace data as it sent by the mobile. (To aid debugging and further reverse engineering of the packet information, I also added log file name incrementing so the previous would not be overwritten - very handy indeed.)

The relevant data is collected from Radio Resource System Information packets (via MDI RECEIVED_BLOCK), as well as low-level information from phone-specific messages (in particular RSSI_RESULTS, which is not correctly documented on Project Blacksphere and required reversing).

Mapping Software

The mapping software brings all the data together and presents it on a map. Position and measurements are logged to a SQL database, and can be reviewed at will. The 'Level Layer Manager' allows customisation of data shown on the map. For example, one can choose to plot all measurements made on a particular ARFCN, and then further refine that to one cell by specifying the BSIC.

The funky GPS controls are from GeoFramework and GPS.NET. The map is rendered using GMap.NET and OpenStreetMap, which can of course be zoomed to show discrete samples:

The Mobile State window displays the current state of the cellular network from the point of view of the phone:

The software could be appropriated to map any RF device that outputs signal strength measurements (e.g. a handheld receiver used for 'fox hunts').

Alas, the real geolocation (multilateration) process remains a TODO...

More Information

Mobile phone tracking (Wikipedia)

NetMonitor in Nokia phones (mwiacek)

A method for implementing Mobile Station Location in GSM (Svein Yngvar Willassen's thesis)

Official 3GPP (GSM and onward) specifications

ARFCN to Frequency Calculator