locationg mobile phones with a SDR

Hi guys

I'm working on a project where i need to determine the distance from my
USRP B210 to mobile phones nearby.

For my understanding there is a way to do so by sending a pulse, and
studying the reflection from mobile devices which contain SAW filters.

Since i'm new to the SDR world, could you help me get started?
is anybody familiar with the process, can i use matlab or need other software?

Any help will be really appreciated,
Thanks in advance,
Meny

As near as I can make out from your post, you are asking us to tell you how to make an illegal transmitter that will over-ride the authorized affiliation with a nearby cell tower and have it return a signal. If you are in the USA, it is also against the law to monitor those frequencies. I don't think there are going to be many here that can help you with that.

The actual physics of measuring the time delay can be looked up by doing some searching on the internet about how radar systems work.

Most any of the high end signal analysis programs will be able to give you the time differential and simple math will give you distance.

Don't get caught

Bruce

Thanks for your reply.

This is actually a project for my university, shouldn't be any legal issues.
The main goal of the project is to be able to locate trapped people in disaster areas.
i'm not in the USA by the way.

I'm asking for advise about implementation- first of all if my idea can even work? (that's the best i came up with to achieve my goal).
and second, since it's the first time i'm using SDR and really don't know much about it- which program to use, GNURadio/Labview or even just Matlab which i'm very familiar can do the trick.
If anyone can shed some information it will be very helpful..

Thanks again
Meny

You'd be more likely interested in RDF (radio direction finding) work since just having one receiver of any kind isn't going to help much in terms of being able to do any accurate location or even distance work. I was just looking over the RTL-SDR blog and noticed this earlier:

An RTL-SDR Phase Correlative Direction Finder - rtl-sdr.com

which is a somewhat complex setup but could be constructed relatively cheap (aside from the need for the device for syncing the clocks) and would probably be way more useful for tracking down victims in disaster situations. If you watch the video on YouTube, the author provides a link to the software he created for this project as well in the comments section.

When I first saw the topic, I was thinking it was a simple matter of DFing the signals coming from the phones. Nothing illegal about that, as it's not monitoring.

In a disaster situation, you are assuming the phone is turned on and operating. If the local cellular infrastructure is still operating the phone will be broadcasting it's "I'm here" and no signal will have to be sent to activate it. If the towers are down the phone will be actively sending "Are you there?" on all of it's active control frequencies, again no signal needed to activate it. Rather than trying to get the phone to respond to you, a better approach might be to use multiple receivers and triangulate the signal source.
The battery will not last long if the phone is actively looking for a site affiliation.

Check with your local radio licensing agency before firing up a transmitter. Even universities are subject to their oversight and the cellular carriers will not be pleased if your experimentation interrupts paying customers.

It also may be that I have misunderstood the fundamental question. Years ago there was an avalanche rescue method using a microwave transmitter and a receiver tuned to double the transmitter frequency looking for the return of the harmonic returned when the beam intersected a diode that was sewn into ski clothing. The problem with that method was to get penetration of the snow to any depth, the transmitter had to be high enough powered that it was unsafe to point it at a living body. I did locate my digital wristwatch under about a foot of snow when we were testing it for mountain rescue though (I carefully flagged the spot when I hid it as back then digital watches were quite expensive). That method would still be better handled with a dedicated receiver and not necessarily a wide band SDR with associated computer equipment.

n0nhp said:

In a disaster situation, you are assuming the phone is turned on and operating. If the local cellular infrastructure is still operating the phone will be broadcasting it's "I'm here" and no signal will have to be sent to activate it. If the towers are down the phone will be actively sending "Are you there?" on all of it's active control frequencies, again no signal needed to activate it.

Click to expand...

That doesn't sound right. A phone will transmit on a frequency pair where it hears nothing? If the phone can't hear a site's outbound control channel, sending an inbound "Are you there?" isn't going to make the phone suddenly hear the site.

Rather than trying to get the phone to respond to you, a better approach might be to use multiple receivers and triangulate the signal source.

Click to expand...

There will be no signal source unless the phone is being paged, or the phone is sending data or a voice call is in progress.

The battery will not last long if the phone is actively looking for a site affiliation.

Click to expand...

Nope, don't think so. The phone will only use its receiver until it hears a control channel - then it will transmit. If the phone can hear the site, the site can likely hear the phone and will respond, causing the phone to stop transmitting. The system designers know what they're doing.

Meny said:

This is actually a project for my university, shouldn't be any legal issues.

Click to expand...

What university? Who's the sponsoring professor?

Well - cellular phones do transmit first - it's the nature of the system. Go somewhere where coverage is sparse with a hand-held spectrum analyser, like the RF Explorers, and turn your phone on. Like a Borg, it tries very hard to wake up a cell tower in range.

So for the OP, there could be something worthy of study - but the problems would be multiple phones. The scenario would be problematic on many counts. Passively, any detector would need to be able to discount transmissions from other phones, and in a search situation, there would be many. The old search technique of calling for quiet and listening would be difficult to manage with phones. DF techniques need to hone in on one unit out of many. In an RF quiet environment with a single phone in operation then you could find a bearing from multiple receivers, and with the correct equipment, you could perhaps respond. I don't know enough about how the various polling protocols work, but I'm sure somewhere I read the response times were randomly varied to cope with packet collisions - so timing a call/response reaction would not give you distance at all. The legality aspect doesn't seem to me too much of a problem, as if the premise works, the phone companies may even support it - but I suspect the idea has already been considered, probably by the security service. Triangulation would seem a better prospect.

Education wise, students come up with tons of possible projects, and the staff say what we have said, and knock 99% on the head before they start. It doesn't hurt to ask a bunch of people like us the question, to get the responses, does it?

My view is that it's got a lot of flaws and issue that would in the field be difficult to control.

Lastly, in the UK, the crime committed is unauthorised interception. Does this mean tuning into a frequency, or doing something with it? Being aware a signal is there by using a spectrum analyser, for instance to track down interference - is that a crime? I doubt it. How about finding the interference, getting the frequency and typing it into a scanner to see what kind of signal it is? Is that then the crime? Perhaps still OK (or in the case of many sources, not really OK but not considered bad - marine, military air etc). If you discover it's the big letter name agencies, then perhaps getting riskier. Crimes are kind of binary really - with the response analogue. I can't see that tuning into digits from a cellphone in a disaster assisting manner is a problem. Transmitting on the cell phone TX channels would indeed need a license, but R&D licenses exist - certainly in the UK, and universities are common locations for them.

Slicer: Consider when you first turn on your phone, the tower does not know it is there. The phone has to announce it's presence and availability.
Living in the mountains and deserts of the west, I have forgotten to turn off my phone when leaving coverage and had a dead battery in the space of a couple of hours rather than a couple of days when in range. The transmitter will transmit every few seconds at full power until a response is heard. It does not do so on the voice pairs, it will rotate through the control pairs assigned to it's carrier.

Thank you all for your comments. very helpful.
For the one who asked- i dont want to provide any information that i shouldn't about my sponsoring professor, but the project is conducted in Ben Gurion university- Israel (electrical engineering department).

Few assumption about the state of the mobile phone that is being located-
the phone is ON and has active communication with it's network.
also, at this point i'm not interested in height or direction- only distance will be sufficient at this point.
I'm assuming for now that there are no obstacles in the way- just a straight line from the USRP to the mobile phone.
If that would work- later on i will think about improvement.

Actually i came to you after about a month of different tries and methods that had not gone well,
such as:
-trying to pull I/Q samples off the air and making sense with them
-trying to create LTE/UMTS base stations and connect with cellular phones nearby- complicated and requires registration to the network, so not a really good idea.

Now i'm thinking about using the SDR as a radar, just because i don't really see any other option.
Do you happen to know any similar project\relevant material that could help me?
I've searched and read a lot, and really got confused from the tones of papers out there.
As i said at the beginning, the latest idea i found is based on the SAW filters that cellular phones use.
Is it practical?

Again, thank you all for your help!
Meny

Your project should be doable and the company I worked for used a similar method for measuring satellite locations in space.

We inserted a pulse in an existing encoded video uplink stream and had a specially modified receiver sampling the uplink signal from the transmitter to provide a starting reference signal that could be synced to a GPS signal for time reference. We then had a couple of similar receivers spanning a large area of the satellite coverage that received the same pulses and reported the precise time received compared to the GPS time.

With this the satellite could be triangulated in space from several distant receive sites on the ground once the system was calibrated.

I suppose you could encode a similar pulse or tone from a cell site transceiver and measure the return time though the cell phone back to the cell phone base transceiver. Once you know all the system delays you would have pure distance time to measure and determine how far away the cell phone is from the cell site.

You would have to find a way for a pulse or tone to propagate through the phone as most if not all the cell site audio from the party calling the cell phone does not make it back to the calling party, otherwise there would be an objectionable amount of side tone to the calling party.
prcguy

Meny said:

Thank you all for your comments. very helpful.
For the one who asked- i dont want to provide any information that i shouldn't about my sponsoring professor, but the project is conducted in Ben Gurion university- Israel (electrical engineering department).

Few assumption about the state of the mobile phone that is being located-
the phone is ON and has active communication with it's network.
also, at this point i'm not interested in height or direction- only distance will be sufficient at this point.
I'm assuming for now that there are no obstacles in the way- just a straight line from the USRP to the mobile phone.
If that would work- later on i will think about improvement.

Actually i came to you after about a month of different tries and methods that had not gone well,
such as:
-trying to pull I/Q samples off the air and making sense with them
-trying to create LTE/UMTS base stations and connect with cellular phones nearby- complicated and requires registration to the network, so not a really good idea.

Now i'm thinking about using the SDR as a radar, just because i don't really see any other option.
Do you happen to know any similar project\relevant material that could help me?
I've searched and read a lot, and really got confused from the tones of papers out there.
As i said at the beginning, the latest idea i found is based on the SAW filters that cellular phones use.
Is it practical?

Again, thank you all for your help!
Meny

Click to expand...

Meny said:

Thank you all for your comments. very helpful.
For the one who asked- i dont want to provide any information that i shouldn't about my sponsoring professor, but the project is conducted in Ben Gurion university- Israel (electrical engineering department).

Click to expand...

Rules may very well be different in Israel, I'm not familiar with them. I am, however very well versed in the FCC rules in the USA, as well as being a telecommunications engineer at a University. I'd be surprised if the rules were vastly different...
Being a university sponsored research project does not automatically exempt you from the rules. I've been through this many times at work, and while many will attempt this argument, it will never hold up in court.

The right way to do this is to use a radio service that is covered under "license by rule" or similar. I'd recommend looking at BlueTooth or WiFi as an option. Trying to compete with high power cellular base transceivers is going to be problematic. Most systems use TDMA or IP, so narrowing down which signal belongs to which cellular device while dealing with the high level of background noise is going to be difficult.

Using a lower powered radio is going to give you better results. Avalanche beacons used in the snow use low power signals. It's much easier to DF a low power signal than it is a high powered one. Dealing with reflections, multipath, etc. complicates things. A low power BlueTooth or WiFi signal is going to be easier, require less power than cellular, and use less battery power (might be important for long term tracking). It also makes it easier to deal with the possible licensing issues.

Most people have WiFi or BlueTooth constantly turned on. Being able to track the MAC address of the WiFi radio might be easier, but trying to trick a radio to listen to only one MAC address is going to take some work. BlueTooth works the same way. The cellular phone will be broadcasting some sort of beacon looking for a connection. It'll be ID'd.
Probably talking to the bluetooth radio and getting it to ping would be easier.
Even better if you could develop an application that would be able to recognize your system and send back last known good GPS position or some sort of triangulation using cellular towers or WiFi hotspots. Might get you within a few meters or so.

Most cellular carriers can ping a cell phone and have it send it's GPS coordinates. So some of this might be already solved. GPS coordinates on their own can be off by 10 meters or so. So, having your project be able to pinpoint the position might be better.

Since you are dealing with a single device, you'll either need some sort of Signal Arrival Delay system that will find the location and/or simple direction finding using a directional antenna. Nice thing is that 2.4 and 5.8 WiFi frequencies use small antennas. Bluetooth is going to be a bit harder since it uses frequency hopping spread spectrum, so getting your receiver to track that is going to be difficult.

Sounds like an interesting product and something very useful. I'd love to hear more about this. I'm sure there would be a market for this if you could make it carrier/vendor agnostic and not require any sort of downloaded application for it to work.

n0nhp said:

Slicer: Consider when you first turn on your phone, the tower does not know it is there. The phone has to announce it's presence and availability.

Click to expand...

Yes - the phone finds an active control channel and sends a registration request. The base station was transmitting long before the phone was turned on. The base station is sending general broadcast messages to to all phones, including any that are just turned on. So as I said, the base station transmits first. The registration process is initiated by the phone when it finds an active base station.

If the site goes off the air, the phone will not see it, so a registration attempt will not be initiated. Instead, the phone will go through its almanac, looking for the last received control channels as well as the control/registration channels listed in received neighbor lists. If that does not find an active channel, a full band scan is initiated. That lets you turn off your phone and transport it to anywhere the network has coverage, and when turned back on, the phone will find a local site.

Phones don't just transmit in the blind on every possible frequency; it would be:

a) very slow
b) power-hungry
c) pointless

Well, next time you are out of range of service, I suggest you fire up the SDR and watch what happens.

I have stated my experience and I have seen it on my own setup and you are right, it is very power hungry.

Bruce

at an old job

the workers could not use the phones on the job, only at break or the end of the day.
they were all stored in old school style metal lockers.
the ones that were turned off lasted the whole day.
the ones that were left on were all dead.
just my observation.

Phase 2

Gee Wiz,
I hear about locating callers on the scanner with "phase 2" all the time. I googled cell phone phase 2 and they explained how the Telco carriers do it. I'm surprised that the whole world does not have that, why reinvent the wheel........
Then again I never tried my NOOElec in the cell phone bands.
Sounds kinda sinister to me anyway.
My phone dies when out of tower range pretty quick, I have to turn it off.

Jiminpgh, the SDR you have has the cellular bands removed, This has to be done in the US for FCC approval...while that is not really an issue these days with the CDMA, etc...the newer phones use, there was a time back in the late 80's to mid 90's when you could catch the old phones on the 800mhz frequencies. As I recall it was 1995 about that all the scanner manufacturers had to delete these from the band coverage of their scanners. And yes, phones do endlessly transmit trying to get a tower to let them on the network, I am guessing this guy might be doing some research with SAIC though CMU, so they might have an exception to policy issued to the project. Kind of a white hat type of research to help prevent black hats efforts.

Guys, the reason the phones go dead has nothing to do with the transmitter. It's all about recieve battery saver. Once a phone hears a tower's data channel, it registers itself then goes to sleep. Also, when the base station has a poor signal on the phone, it tells it to crank up the power when it checks in, which causes more power drain as well. I'd say a phone with no signal will last slightly longer than one with a poor signal because of the extra transmit power the base station is asking for. When you have "full bars" the phone is transmitting at it's lowest setting and checking in the least frequent. I believe the best way to make this work would be to mimic a Stingray device/"fake cellphone tower" so that the base station can direct the phone to check in frequently and at a higher power to be more easily tracked.

redbeard said:

Guys, the reason the phones go dead has nothing to do with the transmitter.

Click to expand...

Uh yes it is...

redbeard said:

It's all about recieve battery saver. Once a phone hears a tower's data channel, it registers itself then goes to sleep.

Click to expand...

Sure...

redbeard said:

Also, when the base station has a poor signal on the phone, it tells it to crank up the power when it checks in, which causes more power drain as well.

Click to expand...

The weaker the uplink signal, not downlink, the site tells the phone to up the power.

redbeard said:

I'd say a phone with no signal will last slightly longer than one with a poor signal because of the extra transmit power the base station is asking for. When you have "full bars" the phone is transmitting at it's lowest setting and checking in the least frequent.

Click to expand...

I believe now phones will look for service and eventually give up. Old school phones would just search until the battery died.

Signal strength has no bearing on how often a phone beacons. It does however mean that when it does it will use more power. Not beacon more frequently.





Sent from my iPad using Tapatalk