Cell Phone Tracking/Positioning Technology Review Part 1

Prof M S Prasad , The ubiquitous presence of mobile communication with cheap cost of ownership , has become one of the major communication methods during move or anywhere for mass as well as for unwanted persons also. Cell phone or Mobile tracking is required for Government process, for medical system , for emergency like we have in west 110 and USA 911 services who has the capability to know your location . The Cell phone tracking is also used by Location Based Service providers ( LBS) for commercial use. In this review paper , the focus is to present methods for Cell phone tracking/positioning, implementation procedure and how to increase the accuracy Brief Review of GSM System

Global Mobile System ( GSM) is a digital wireless network developed by European Digital Mobile standards , operating on two frequency bands 900 & 1800 MHz. The GSM frequency band utilizes two bands separated by 25 MHz and each band divided into 200 KHz Channel commonly known as Absolute Radio frequency Channel Numbers ( ARFCN ) uses TDMA technique fro Channel use by multiple users. A GSM TDMA slot is composed of 8 timeslots per frame ( each 156.25 bits wide) leading to 125x8 = 1000 traffic channels.( 200 KHz channel spacing in 25Mhz gives 125 channel ) The data rate in both forward and reverse transmission channel is of 270.833 Kbps using GMSK (Gaussian Minimum Shift Keying with Bt =0.3) modulation technique giving the effective data rate per user as 270.833 /8 = 33.854 kbps. Due to other overheads actual transmission rate is 24.7 Kbps . This modulation technique has been adopted for its power and spectral efficiencies as well having smooth phase trajectory. The signaling bit duration is of 3.692 s GSM system uses various types fo channels to connect user s or to provide different services with definite structure . Here we will focus on Two important channels Traffic channel and Control channel. For the Cell phone location determination Control Channel is of importance. The control channel uses different burst such Synchronization and Frequency Correction Burst. These bursts along with Control data go through interleaved Channel encoding and then modulated by GMSK and goes through RF chain for transmission. Cellular networks consist of thousands of overlapping, individual geographic areas called as cells, each with a base station. Each cell within a cellular network is geographically defined by the range that RF signals propagate to continuous space. The size of the cell depends on the area of coverage that is needed and number of calls made in that area. When mobile phone is switched on, it logs on to best suitable network. When a mobile phone user is moving and enters a serving cell, network base stations are designed to recognize that the user is within the serving proximity of the stations neighborhood. The base station then automatically locks on to

mobile and hands off the call from one base station and corresponding cell to this next base station and serving cell within the network. Components of Mobile /GSM System ( Ref Fig 1.1 ) MSC The mobile service switching centre (MSC) is the core switching entity in the network. The MSC is connected to the radio access network (RAN) consisting of BSCs ( Base Stations Controllers ) . Users of the GSM network are registered with an MSC; all calls to and from the user are controlled by the MSC. A GSM network will have one or more MSCs, geographically distributed. VLR the visitor location register (VLR) contains subscriber data for subscribers registered in an MSC. Every MSC contains a VLR. Although MSC and VLR are individually addressable, they are always contained in one integrated node. GMSC The gateway MSC (GMSC) is the switching entity that controls mobile terminating calls. When a call is established towards a GSM subscriber, a GMSC contacts the HLR of that subscriber, to obtain the address of the MSC where that subscriber is currently registered. That MSC address is used to route the call to that subscriber. HLR the home location register (HLR) is the database that contains a subscription record for each subscriber of the network. A GSM subscriber is normally associated with one particular HLR. The HLR is responsible for the sending of subscription data to the VLR (during registration) or GMSC (during mobile terminating call handling). CN the core network (CN) consists of, amongst other things, MSC(s), GMSC(s) and HLR(s). BSS the base station system (BSS) is composed of one or more base station controllers (BSC) and one or more base transceiver stations (BTS). The BTS contains one or more transceivers (TRX). The TRX is responsible for radio signal transmission and reception. BTS and BSC are connected through the Abis interface. The BSS is connected to the MSC through the A interface. MS the mobile station (MS) is the GSM handset.

A GSM network can be of the Time division multiple access (TDMA) network or code division multiple access (CDMA) network. In general they are also referred as Public Land Mobile Network. The various entities in the GSM network are connected to one another through signaling networks. Signaling is used for example, for subscriber mobility, subscriber registration, call establishment ,etc. The connections to the various entities are known as reference points. : Interfaces between various network elements. The mobile station and the BSS communicate across the Um interface, also known as air interface or radio link. BTS communicates with BSC across Abis interface CCCH - Common Control Channel SDCCH - Stand alone Dedicated Control Channel TCH - Traffic Channel

BSC communicates with MSC across A interface SCCP - Signaling Connection Control Part MSC communicates with VLR across B interface MSC communicates with HLR across C interface MSC communicates with EIR across F interface The interface between OMC and other network elements is not standardized

The signaling protocols used over GSM are the following: Mobile application part (MAP) MAP is used for call control, subscriber registration, short message service, etc.; MAP is used over many of the GSM network interfaces; Base station system application part (BSSAP) BSSAP is used over the A interface; Direct transfer application part (DTAP) DTAP is used between MS and MSC; DTAP is carried over the Abis and the A interface.

ISDN user part (ISUP) ISUP is the protocol for establishing and releasing circuit switched calls. ISUP is also used in landline Integrated Services Digital Network (ISDN). A circuit is the data channel that is established between two users in the network.
GSM Control Channels Besides the traffic channels there are a group of control channels defined which handle system information, connection setup and connection control Broadcast Control Channel (BCCH) group handles beacon signaling, synchronization of MS with the serving BTS, timing advance adjustment, it comprises of BCCH Broadcast Control Channel FCCH Frequency Control Channel SCH Synchronization Channel BCCH is responsible for Sending out of beacon on one frequency per cell (by BTS) Contains 16bit Location Area (LA) code MUST BE on Time Slot #0, following time slots might used by TCH BCCH provides: Details of the control channel configuration Parameters to be used in the cell Random access back off values Maximum power an MS may access (MS_TXPWR_MAX_CCCH) BCCH provides: Minimum received power at MS (RXLEV_ACCESS_MIN) Is cell allowed? (CELL_BAR_ACCESS) List of carriers used in the cell Needed if frequency hopping is applied List of BCCH carriers and BSIC of neighbouring cells FCCH is responsible for first part of MS tuning (synchronisation of mobile device to BTS signal)

MS listens on strongest beacon for a pure sine wave (FCCH), first coarse bit synchronization used for fine tuning of oscillator Immediately after follows a SCH burst SCH: Fine tuning of synchronization (64 bits training sequence) Read burst content for synchronization data 25 bits (+ 10 parity + 4 tail + convolution coding = 78bits) 6 bits: BSIC, 19 bits: Frame Number (reduced) Finally MS is able to read BCCH information

International Mobile Subscriber Identity The international mobile subscriber identity (IMSI) is embedded on the SIM card and is used to identify a subscriber. The IMSI is also contained in the subscription data in the HLR. The IMSI is used for identifying a subscriber for various processes in the GSM network. Some of these are: The structure of IMSI is of max 15 digits . .

Mobile country code (MCC) the MCC identifies the country for mobile networks. The MCC is not used for call establishment.]. The MCC values are allocated and published by the ITU-T. Mobile network code (MNC) the MNC identifies the mobile network within a mobile country (as identified by MCC). MCC and MNC together identify a PLMN. Refer to ITU-T E.212 for MNC usage. The MNC may be two or three digits in length. Common practice is that, within a country (as identified by MCC), all MNCs are either two or three digits. Mobile subscriber identification number (MSIN) the MSIN is the subscriber identifier within a PLMN. Mobile Station Integrated Services Digital Network Number (MSISDN Number) The MSISDN is used to identify the subscriber when, among other things, establishing a call to that subscriber or sending an SMS to that subscriber. Hence, the MSISDN is used for routing purposes. Country code (CC) the CC identifies the country or group of countries of the subscriber; National destination code (NDC) each PLMN in a country has one or more NDCs allocated to it; the NDC may be used to route a call to the appropriate network; Subscriber number (SN) the SN identifies the subscriber within the number plan of a PLMN.

Cell Phone Tracking /Positioning Basic idea to locate a person carrying a digital device is by measuring radio signals exchanged between a device transceivers and set of known base stations. Measured signals can then be used to perform some mathematical calculation to give location information there are many ways in which location can be found from the measurement of the signal and can be applied to current wireless networks. The most important measurements are: Cell identification, Propagation time, Time Difference of Arrival (TDOA) and Angle of Arrival (AOA), and these involves different level of position accuracy, hardware & software.

Based on the functions of the MS and the network, implementation of a location tracking method belongs to one of the following categories: Network-based Mobile-based Mobile-assisted In network-based implementation one or several base stations (BSs) make the necessary measurements and send the measurement results to a location centre where the position is calculated. Network-based implementation does not require any changes to existing handsets, which is a significant advantage compared to mobile-based or most mobile-assisted solutions. However, the MS must be in active mode to enable location measurements and thus positioning in idle mode is impossible. In mobile-based implementation the MS makes measurements and position determination. This allows positioning in idle mode by measuring control channels which are continuously transmitted. Some assisting information, e.g. BS coordinates, might be needed from the network to enable location determination in the MS. Mobile-based implementation does not support legacy handsets The third category, mobile-assisted implementation, includes solutions where the MS makes measurements and sends the results to a location centre in the network for further processing. Thus, the computational burden is transferred to a location centre where powerful processors are available. However, signaling delay and signaling load increase compared to a mobile based solution, especially if the location result is needed at MS. Another classification is based on the measurement principle. The measurement principle of each method belongs to one of three categories: Multilateral Unilateral Bilateral

In multilateral techniques, several BSs make simultaneous (or almost simultaneous) measurements. Multilateral measurement principle leads to network-based implementation. Unilateral means that the MS measures signals sent by several BSs and thus leads to mobile based or mobile-assisted implementation. For bilateral techniques multiple measurements are not needed: either MS measures signal from a single BS or one BS measures signal from MS. Cell Identification Cell Identification technique operates in GSM, GPRS and WCDMA mobile/cellular networks. It is a simple and easy way to locate a cell phone by identifying the serving cell. This technique requires identifying, communicating and locating the base station to which the mobile phone is connected. It passes the location of the base station as the location of the mobile user to location service applications. As a mobile user moves around, network keeps tabs on which base station it can reach the mobile and hence the location is updated. The accuracy of this technique to find the location depends upon the infrastructure / physical architecture of the network i.e. the size and density of the cells. Systems with smaller cells such as in rural areas will have more precision than systems with large cells. Accuracy is in between 100meter to 20kilometer.

Level of accuracy can be increase by using cell identification with under mentioned methods
Timing Advance (TA)

Number of milliseconds the signal from the mobile phone travels to base station corresponds to timing advance. The time at which a terminal sends its transmission burst is critical to the efficient functioning of a GSM network. GSM uses the Time Division Multiple Access technology for sharing one frequency between several users, assigning timeslots to the individual mobile users sharing a frequency; each mobile user can transmit only in a certain time. But the users are in different distances from the base station, the precise time the phone is allowed to transmit (timeslot) has to be adjusted accordingly. Timing advance is the variable controlling this adjustment. Distance of the mobile user from the base station is dependent upon the duration of timing advance for each mobile station. Hence, we can calculate the mobile user location information. This technology is only used if the mobile user is 550meters or more away from the base station since adjustment are calculated depending on how many multiples of 500-550 meters the mobile user is distant from a base station due to its bit based resolution i.e. 3.692 s / bit. Signal Strength In telecommunication, signal strength is measured of how strong a signal (RF waveform) is. Mobile phone continuously measures the strength of the signal from each of the base station and reports this information back to them, so that communication between the mobile phone and the base station has optimum signal strength. . Signal strength is measured in voltage per square area. Hence, theoretically we can calculate the proximate location of the mobile user by cell-id and signal strength. This technique is not widely used, since the measurement of signal strength depends upon characteristics of terrain, attenuation of signal or signal Fading. Several Transmission and propagation model empirical & theoretical exists to translate it into distance measurements. The BSs send the common pilot channel (CPICH) with constant power of 33 dBm (10% of the max power). CPICH is unique in each cell and always present in the air. Before any other transmission each MS monitors the CPICH. Thus, each MS is able to measure the power levels of the nearest BSs common pilot channels. A common Propagation model is given below :A. Hata-Okumura Model

This model gives a path loss expression for each of the urban, suburban and open environments. It defines a parameter a (hM) to be the mobile height correction factor or gain (dB). As a result Hata subdivided the urban environment into large and small/medium cities. Pathh Loss = 69.55+26.16 log (f) 13.82 log ( hb) a ( hm) + ( 44.9 -6.55 log(hB)) log (d) This path loss is for URBAN area .For sub Urban area an additional term is added as - 2(log(f/28)) - here a9H) is a small & medium gain factor which empirically given as A(h) = 32 ( log( 11.5h)) -4.97 for large City
1.1 log ( f -0.7) h 1.56 log(f) -0.8 for small & Medium city hb = height of Base station in m

hm = height of mobile d = distance between Base station and mobile set.

For fading analysis we can use two models : Rayleigh Flat fading Model for cities where we may have number of paths of signal and Ricean Fading model for a dominant LOS and few scatteres i.e. in Suburban areas. Propagation Time ( Time of Arrival TOA ) This involves measuring the time it takes for a signal to travel between a base station and a mobile receiver or vice versa. Alternatively, this approach might involve the measurement of destination and then echoed back to the source, giving a result twice that of the one-way measurements. Always later approach is used as the means of measuring propagation time because it does not rely synchronization between the mobile receiver and base stations. Either measurement constrains the position of the mobile receiver to a circular locus around the base station. If another propagation time measurement is made with respect to a second base station, a second circular locus is produced [Figure 7 (a)]. It can be seen that the two circular loci gives an ambiguous position, to resolve such ambiguity either previous information concerning the trajectory of the mobile receiver or making a propagation time to the third base station.

Deducing the location from the signal strength from 3 station at the same site.

Observed Time difference of arrival (O-TDOA) A mobile receiver can listen to a series of base stations. Also it can measure the time difference between pair of station. If, for example, there are three base stations, two independent TDOA measurements can be made and used to locate a mobile receiver. Each TDOA measurement defines a hyperbolic locus on which a mobile receiver must lie. The intersection of the two hyperbolic loci will define the position of the mobile receiver [Figure 7 (b)]. TDOA requires that multiple base stations listen to handover access bursts from the mobile terminal, and then triangulate on its position. Angle of arrival [AOA] This involves measuring the angle of arrival of a signal from a base station to a mobile phone or vice versa. In either case, a single measurement produces a straight line locus from the base station to the mobile receiver. AOA measurement with other base station will yield a second straight line; the intersection of two lines gives position of the mobile receiver [Figure 7 (c)]. Generally this is difficult to measure because the need for an Directional Antenna or Antenna arrays. Enhanced Observed Time Difference [E-OTD]

E-OTD is device centric localization technique that assumes that handsets are endowed with software that locally computes location. Three or more synchronised base stations transmit signal times to the base station. E-OTD mobile positioning techniques are in the range of 50-125m. Three basic timing quantities are involved with this :a. Observed Time Difference : It is the observed time difference between the reception of signal from Two BSs b. Real Time Difference : This the time difference between relative Synchronisation between two BSs. C. Geometric Time Difference : The time difference due to Geometry of the base station.
New Technology All techniques reviewed above are called as homogeneous systems. A homogeneous system uses only one source of measurements to calculate position. Mixing different type of measurements will also give location of the mobile receiver. A common example is radar, which combines propagation time and AOA to yield location of the mobile receiver. This type of system is called as heterogeneous system, where one or more techniques are combined to eliminate disadvantage of each other. Such as, when Cell-Id technique, give high yield but very poor accuracy, is combined with A-GPS, give high accuracy and poor yield, the result is high accuracy. In this system, when a conventional GPS system fails to locate a device user in heavily shielded environment, Cell-ID localization technique is used as a fall-back method to provide the proximate location of the user. Though GPS gives greater accuracy compared to other independent techniques but it updates the location of the device user every 5 sec i.e. the response time is slow, which is the major drawback for real time. Matrix positioning method with GPS system collectively know as Enhanced-GPS.. E-GPS provides 1) fine time aiding is available in GSM and W-CDMA with a precision of 5sec and 2) the Matrix element provides an immediate initial position of the device user up to accuracy of within 100m or so when GPS system fails to locate..

Suggested NEW Methods for increasing Accuracy

Hidden Markov Models

Signal models can be classified in deterministic and statistical ones. Deterministic models exploit specific properties of the signals, e.g. the signal is a sine wave or a sum of exponentials. The statistical models characterise only the statistical properties of the signal. Such statistical models include Gaussian processes, Poisson processes, Markov processes, Hidden Markov processes and other. The meaning of the statistical model is that the signal can be characterised as a parametric random process and that the parameters of the stochastic process can be determined in a precise, well-defined manner. A discrete Markov process is characterised by a finite or infinite number of states. A modeled system can be seen as being in one of these states and changing between the states at equally spaced discrete times, according to the state transition probability associated with each state.

In the case of a first-order Markov chain, the state transition probability does not depend on the history of the process, but only on the current state. The measured data during a call can be received and analysed at several network interfaces, e.g. Abis interface. In a further step, the measurements can be compared with saved street models, which are stored in repositories. The step of street modelling is one of the most basic steps for this positioning technique. The prediction field strength of the street elements has to be modelled in that way that all signal pattern information is saved. Hidden Markov Models have been used in the past for speech recognition, as well as for other applications that are based on pattern comparison and detection. In the case of positioning in GSM, the uplink and downlink signal characteristics can be saved in a Hidden Markov Model (HMM), which will be trained with predicted data
Training the Models

Training of models encodes observation sequences, in this case the prediction data for the considered street element, in such a way that any other observation sequence having many characteristics similar to the given, it should be able to identify it. The training is performed by means of the Segmental K-means Algorithm. This algorithm is based on the maximum state optimised likelihood criterion. At the beginning, clusters are randomly created and every vector (observation symbol from the training sequences) is assigned to the above clusters, from which its Euclidean distance is minimum. The initial choice of clustering vectors does not decide the final HMM, but can decide the number of iterations required for the HMM training.
On the next step the segmentation of the training sequences has to be optimised, until the final model represents the training sequences. This step can be made by means of Viterbi algorithm. The Viterbi algorithm finds the optimum state sequence in terms of the maximum likelihood. The state sequence is a sequence of states (clusters) where each observation vector is assigned. With other words the problem is to find an I that will maximise P(O,I|). The inductive Viterbi algorithm keeps the best possible state sequence for each of the N states as the intermediate state for the desired observation sequence O=O1, O2, O3, , OT. In this way the best path for each N states will be found for the desired observation sequence. In the case of Pattern-Recognition-Localisation, the observation sequences is a set of RXLEVs which results if we assume that a mobile terminal is moving on a street with a specific velocity and transmits measurement reports to the network. The training sequences are generated if several random speeds are used, ccording to a pre-defined normal distribution of speed for the specific street element. The more training sequences are used, the better the modelling will be.The network planning is based on prediction data. Planning tools simulating the actual behaviour of a mobile radio network in geographical space, with all its technical details. With the aid of these data the propagation models consider different attenuation along the propagation path of radio waves.
Another method is to use Kalman Filter for estimating the location. The ref are provided in Part two of this paper. 1.Drane C & C Scott : Positioning of GSM Telephones , IEE Communication Magazine pp -46 -59 , 1998 2. Universal mobile Telecommunication System ( UMTS) ; Physical Layer Technical Specifications , GPP TS 45.0001 ETSI 2001& .2. 3. 3.Theodore Rappert , Wireless Communication Principles & Practice , Prentice Hall , 1996 , Reading. ------------------------------------------------------------------------------------------------------------------------------------