Radio Direction Finding With PCS/GSM Mobile Terminals

Bunny Hunting the Cell Towers

by wargames <[email protected]>

 --== RDF Theory ==--
"Blah blah blah Ginger! Blah blah. Blah blah blah blah! Blah Ginger!"[1] If you want something about RDF theory I suppose I can cook something together, but I'm sure you'd prefer just to get some useful HowTo info.

 --== RDF on ClearNET CDMA (Sony CMB1207) ==--
Once in field service mode, the display shows the cell number (PN Offset) and signal strength. No usable signal and the weakest usable signal are displayed as 0x80 and the strongest normally encountered signal will be shown as 0xFF. Beyond the normal range, the meter will wrap around to the range 0x00 to 0x7F. Power levels in this range indicate the base station is less than 150m away from the handset.

Clearnet's cell sites are usually configured with 3 cells per tower. Cells are separated by a PseudoNoise Offset (cell-specific CDMA channel code) of 168, and are nominally 120° apart. Repeaters will most likely look like odd cells. Circling the tower, 2 of the offsets will be related, while one is way out to lunch and has a very narrow (and far-reaching corridor). Geckobeach [2] reports that Clearnet orients their towers with the middle PN offset facing south - There is evidence that in Edmonton (in the southeast and downtown areas at least) the middle offset faces east. This may not hold true in all places - verify the orientation of the PN offsets with the angle of the cells and a compass.

This pattern of fixing PN offset direction makes cell hunting quite simple. Look for a transition of 'L=H-336' or 'H=L+336'. The L->H transition indicates that, for a northbound observer, the cell is located on a west vector ±5°. Cells aren't perfect radiators - they do spill over somewhat. In a worst-case scenario, at the intersection of 3 towers' coverage, "thrashing", (fast random or circular handoffs) may occur as 6 antennae pick up a handset in their zone. Oscillation between 2 PN offsets is a sure sign of having found a cell boundary. Follow it home and tag it. H->L transitions for a southbound observer obviously indicates a cell to the east. Repeater behaviour is not clearly defined.

 --== RDF on MicroCell GSM (N5190 v5.81 ) ==--
In their infinite cleverness, Nokia's engineers put the required data displays on different screens. This is mostly a minor inconvenience, since the 5190's test mode shows far more infomation than the Qualcomm digital engine in the Sony handset. The information requred to trace cells is located on screens 3 and 11, with some useful tidbits found on 4 and 1. Screen 3 shows signal strength and control channel numbers for the currently serving cell, along with it's 2 nearest neighbours. Screen 11 gives CGI (Cell Global Identity) information. Screen 4 continues the nearest neighbour display, allowing us to predict which cells it is possible for us to move into, and the timing advance parameter on screen 1 offers clues to the distance from the base station.

screen        1		      3               4              11
L1       533 -72 xxx    533 27-72 27    516  6-93  6    CC:302 NC37?
L2       0  1 x xxxx    523 15-84 15    513  2-96  2     LAC:  3100
L3        27      27    536 13-86 13    515 -1100 -1     CH :   533
L4            CCCH           N  N          N  N  N       CID: 10063
When interpreted as MCC:MNC:LAC:CID, the format of the CGI data resembles, in no small way, the numbering conventions used for ethernet addresses. In fact the CGI number is globally unique to that antenna. The first to fields are the Country Code and Network Code. These are an assigned prefix, and the latter 2 fields are essentially a manufacturer/ operator serial number. Just as there can be many ethernet cards whose MAC addresses end in 'C0:FF:EE', there can be many cells whose LAC/CID pair is 1264/8430. The ethernet analogy remains appropriate when considering the base station as a router. A computer can (and often does) have multiple network adaptors, so does a base station - each cell can be cosidered to be a NIC.

The 5190's data display is unique in that it diplays, for each control channel, 2 numbers RxL and PLCC (Receive Level and Path Loss Compensation Coeffiecient) such that PLCC-RxL=99. The list of neighbourly cells is sorted by signal strength, thus making a relatively easy job of predicting the which cell will be the next service cell. Screen 3 may be the most useful for finding the tower, but screen 11 is where the actual tower ID is. Do not be fooled by the control channel ID - it is only a channel. It can and will change with network load. That said, control channel ID is the fastest way to find a cell. Whenever the control channel changes, compare the old and new values to see if they indicate a new cell or merely a new channel. If a new cell seems more probable, verify this on screen 11. Apparently MicroCell orients their cells in the shape of a capital 'Y', numbered 1-3 clockwise from the southeast sector. (I'll have to verify that - Edmonton seems to be wierd for cell configs.)

Screens 4 and 5 are more neighbours. Likely, you won't need to use their information, except maybe to bootstrap your seach. GSM is a time-sensitive protocol. To compensate for distance from the tower, the network can direct the phone to transmit sooner, rather than later. This is shown in the timing advance paramaeter, found on screen 1, line 3, field 2. It varies between 0 ("is that a towerin your pocket or are you just happy to see me?") up to 63 (nearly a long-distance call). For what it's worth, the maximum radius of a GSM cell is 35km, due to this timing sensitivity. Thus, 1 unit of timing advance is approximately equal to being 550m from the tower. What with the size of cells in metro areas, it's doubtful that this value should ever go above 12. Nonetheless, it may serve as a useful way to check your work.

 --== RDF in action ==--
         Mapping begins by defining a "Base Point". This is a point on a map tagged with a vector approximating the direction of arrival of the signal. If this vector is copied and rotated 90° and 180°, projections of the resultant vectors will cross vectors describing the boundaries of the cell. Should an extension move the cell into a zone served by another base station, reverse the sense of the vector and reproject. Connecting the zone crossings and extrapolating will establish a corridor in which it may be said with a high degree of certainty that a base station is located. Position within the corridor may be established by way of signal strength and PN/CGI indicators. All that remains is to travel the corridor until the cell is within visual range.

 --== RDF Approximation/Optimization ==--
         1) The following method optimizes search complexity at the expense of time and resource requirements.

By plotting signal strengths at regular intervals (street intersections, for example) over a large enough area, perhaps 10 km2 and connecting the appropriate points (ie., by average signal strength or by cell ID) it becomes possible to narrow cell locations to a small area. The inefficiency of this method lies in the requirement for a large amount of travel and that the plotted points (if not chosen correctly) may only converge very slowly if at all. This method is recommended for mapping microcells in congested "antenna jungles," and as a bootstrap for other methods.

 
         2) The following method optimizes search complexity and time at the expense of accuracy and possibly resource requirements.

Once a cell boundary is located, a flattened spiral search takes place. Simply travel along the cell line, reversing direction after F(n) units of travel, where F(n) is the nth Fibonacci number[3], n is the number of the turn, and one travel unit is 200m. Since F(8)=13, the 8th pass along the line will be 1.6km, more than long enough to establish the true direction of the cell. Disadvantages include the fact that the resultant location may be difficult to access, improbable or incorrect, further compounded by the difficulties of staying on the cell line. That accounts for most of the wasted travel, since the Fibonacci search is naturally efficient. This method is recommended for open but complicated areas like refineries where it may not be obvious in which direction the cell lies, due to the "cleverness" of some site engineer.

 
Other useful search techniques will be posted as they are described.
 --== RDF References ==--
[1] Far Side. You know the one - "What we say, what dogs hear."
[2] http://www.geckobeach.com/cellular/
[3] F(i+1) = F(i) + F(i-1) . F(0)=0, F(1)=1. F(x) -> 0, 1, 1, 2, 3, 5, 8, 13,...