Positioning of A Cellular Phone Using The SIM

Masters Thesis in Co mputer S cience Royal Institute of Techno logy Kungliga Tekniska Hgskolan
Positioning of a cellular phone using the SIM

Oskar Mattsson Stockholm, 2001
Examiner: Prof. Mats Brorsson Department of Microelectronics and Information Technology Royal Institute of Technology
Supervisor: Jonas Persson SmartTrust AB
Abstract
As the market for cellular telephones, and other mobile devices, keeps growing, the demand for new services arises to attract the end users. One topic that is being discussed throughout the world today is location-based services. How can a mobile device be located and in which way can a service be constructed to utilize this information? Work has begun to create a standard of how the position can be derived from the system, at the same time different solutions have been presented. These solutions require changes in the existing infrastructure of the GSM system in one way or another, and are based on information residing in the network. This forces the operators to invest money to update their system. Sonera SmartTrust provides products and solutions for the mobile market, enabling the operators to enhance their security and provide services to their customers. This paper presents a solution how the position of a mobile device can be determined using the SIM card. A demonstration is implemented using SmartTrusts products to perform a location-based service, without any needs for changes in the GSM infrastructure.
ii
Table of Contents
1. Introduction............................................................................................ 1 1.1 Wireless market.................................................................................... 1 1.2 Background to the problem .................................................................. 2 1.3 Organization of the thesis..................................................................... 2 2. Location-based services ......................................................................... 4 2.1 Emergency calls ................................................................................... 4 2.2 Assisting services ................................................................................. 4 2.3 Fleet management ................................................................................ 5 2.4 Personal services ................................................................................. 5 2.5 Personal privacy .................................................................................. 5 3. The GSM System.................................................................................... 6 3.1 Introduction ......................................................................................... 6 3.2 Network architecture............................................................................ 6 3.2.1 Mobile Station (MS)..................................................................... 7 3.2.2 Base Station System (BSS) ........................................................... 7 3.2.3 Switching System ......................................................................... 7 3.2.4 Geographical areas ....................................................................... 8 3.3 Radio interface..................................................................................... 9 3.3.1 Physical channels ......................................................................... 9 3.3.2 Logical channels......................................................................... 10 3.3.3 Radio signalling issues ............................................................... 10 3.3.4 Timing Advance ......................................................................... 11 3.4 SIM card ............................................................................................ 12 3.4.1 Security ...................................................................................... 12 3.4.2 SIM Application Toolkit............................................................. 14 3.4.3 Micro browser ............................................................................ 15 3.5 Short Message Service........................................................................ 16 4. Obtaining the position.......................................................................... 18 4.1 Cell Of Origin (COO)......................................................................... 19 4.2 Timing Advance (TA).......................................................................... 19 4.3 Time Of Arrival (TOA) ....................................................................... 20 4.3.1 Time Difference of Arrival (TDOA) ........................................... 21 4.4 Enhanced Observed Time Difference (E-OTD)................................... 21 4.5 Angle Of Arrival (AOA)...................................................................... 22
Masters Thesis in Computer Science
iii
4.6 Network Measurement Result (NMR).................................................. 23 4.7 Global Positioning System (GPS) ....................................................... 24 4.7.1 Assisted GPS (A-GPS) ............................................................... 25 4.8 Conclusion ......................................................................................... 26 5. 6. Handset vs. network based positioning ............................................... 28 SmartTrust products............................................................................ 30 6.1 System overview ................................................................................. 30 6.2 Wireless Internet Gateway.................................................................. 31 6.3 Wireless Internet Browser .................................................................. 32 7. Implemented demonstration................................................................ 33 7.1 Positioning schemes ........................................................................... 33 7.2 Programming language...................................................................... 33 7.3 System structure ................................................................................. 34 7.3.1 WML script ................................................................................ 35 7.3.2 User interaction function............................................................. 36 7.3.3 Calculation function ................................................................... 37 7.3.4 Database ..................................................................................... 37 7.3.5 Message flow.............................................................................. 37 7.4 Results................................................................................................ 38 8. 9. Future work.......................................................................................... 40 Conclusions........................................................................................... 41
10. List of references .................................................................................. 42 Appendix A: Abbreviations......................................................................... 44 Appendix B: SIM Application Toolkit features.......................................... 46
iv
1. Introduction
1.1 Wireless market
In May 2001 the Swedish Post & Telestyrelsen (the Swedish National Post and Telecom Agency) presented a market survey about the telecom market in Sweden [1]. It shows that the number of wireline subscriptions decreased year 2000, while the mobile subscriptions continued to increase. Today there are more mobile subscriptions in Sweden than wireline, and with a total of 6.338.000 mobile subscriptions the penetration1 is as high as 71%. This creates a new situation in the society where people have a higher degree of freedom to place their calls wherever they are, whenever they want. Of course new problems and demands also arise with the new situation. With new technologies being developed combined with the increased mobility, new services can be provided. One such group of services that has been getting a lot of attention lately are location-based services (LBS). More people are carrying a mobile device, if those devices could be positioned a whole new range of services would be possible. Not only commercial business would benefit from LBS, also public services as emergency calls will benefit from knowing where the caller is located, as already in use for wireline emergency calls. The concepts of such services are discussed more thoroughly below. The analyst and consultant company Ovum presented in January 2001 a report where they predict the mobile location market to be worth US$20 billion by 2006, with m-commerce as the driving force [2]. Operators and vendors that want to be part of this market needs to start developing services that attracts the users to gain maximum revenue. But yet has no single technology been determined as the definite solution to use when building LBS. Many companies, such as CellPoint and Cambridge Positioning Systems, have started to create solutions of how location-based services can be done, with different solutions. The various solutions to choose from becomes a problem for the operators and vendors. Some kind of standard is needed for the operators to easily implement the services into their products. The European Telecommunications Standards Institute (ETSI) has issued a Technical Specification (TS) [7] that addresses 4 different methods to be included in a future standard. In September 2000 Ericsson, Motorola and Nokia founded the Location Inter-operability Forum (LIF) [4], which strives to help setting the standards in the area. And in December 2000 the Wireless Location Industry Association (WLIA) [5] was founded to look more on the commercial issues of LBS.
The penetration is measured as the total number of subscriptions as part of the entire population.
1.2
Background to the problem
Besides the lack of standards, as mentioned above, many positioning methods will require expensive upgrades of the existing GSM infrastructure. For instance, the Time Of Arrival method (see section 4.3) requires each base station to be equipped with a Location Measurement Unit (LMU), and every LMU equipped with GPS time to be synchronized. If the operator has a large number of base stations, the expense to equip each base station with a GPS receiver will become very high. The different methods being discussed today are network based, i.e. they are executed within the GSM network such as using a LMU. Whats not as much discussed is handset based methods. If the execution could use information available in the handset, the changes in the GSM infrastructure would be potentially less expensive. It could also become easier for the developer who no longer would have to rely totally on the operators. To increase the functionality in the handsets a set of commands has been specified, the SIM Application Toolkit (SAT) commands [10]. These commands enable the SIM card to interact with and operate the cellular phone. Normally for a developer to use the SAT commands, the users SIM card has to be changed into one that has the developed application stored in its memory. By equipping the SIM cards with a so-called micro browser, similar to the WAP browser in a WAP enabled handset, SAT commands can more easily be used. One such browser that normal GSM phones can use is the Wireless Internet Browser (WIB), which today is an open de facto standard in the process of being standardized. Among its features are the possibilities to browse WML pages, execute SAT commands and store new applications on the SIM card. An interesting feature of the SAT commands is the possibility to question the handset about its stored location information. This information consists of parameters such as the serving cell and signal strength, and is normally used by the cellular phone to make decisions about the network. This information could be used when determining the position of the handset. Throughout this paper I will show how these techniques, the SAT commands and the micro browser, can be used when calculating a position. Different methods on how to obtain the position will be discussed, to find a suitable method that can be based on information available in the phone.
1.3
Organization of the thesis
This masters thesis aims at two goals. The first goal is to investigate how location-based services can be conducted by utilizing the micro browser on the SIM card. The second is to implement a demonstration, using products available from SmartTrust.
In section 2 the concept of location-based services is discussed, what can be done and which impacts will it have on our community. Section 3 will discuss the GSM network, giving an overview. Then section 4 goes through different methods to obtain and calculate the position of mobile devices, such as the Time Of Arrival method mentioned earlier. Section 5 makes a comparison between positioning based on the information in the network and the phone. In sections 6 and 7 I describe the implemented demonstration. In section 6 products related to SmartTrust are described that are used in the demonstration, and how they integrate into the GSM system. Then in section 7 the actual solution and implemented demonstration is described. Finally in sections 8 and 9 I have drawn conclusions about the thesis and future work.
2. Location-based services
2.1 Emergency calls
One very important service in our society is the emergency call centres. By dialling a simple number on the telephone, 112 in Europe and 911 in the U.S., help can quickly be obtained in case of an emergency. But for this service to work properly the location of the caller is needed. First the call must be rerouted to the correct call centre, since every centre only covers a limited area. Then by knowing the location of the caller, the emergency operator can get aid from computers in form of maps and local information, and quickly dispatch the assignment to the closest available unit. A couple of years ago it was a rather safe assumption to say that a received call was made from a fixed location. That was a fact that the emergency call services used. When the call was made the system would know where the call was made from, based on the registered address of the numbers owner. Today in the U.S. 20% of the emergency calls are made from mobile phones, and the number is expected to grow to 60% by 2002. These are calls that the emergency operator cant get location information about. And in many cases a caller from a mobile phone doesnt know his exact location. This has become such big problem that the U.S. Federal Communications Commission has issued a mandate, E911, requiring the service operators to be able to identify the location of the caller within 125 m, 67 percent of the time, by October 2001 [3].
2.2
Assisting services
There are a few different examples of assisting services that could make use of positioning information. One is roadside assistance. When driving on a highway it can be hard to know where on the road you are. If the car breaks down somewhere in the middle of nowhere it might take a long time for the assistance to arrive if the location is not known. By determine your location the assistance can arrive much quicker. This kind of service doesnt need a very accurate position. Often it is enough to know within which area the location is, since the road is already known and the assistance only needs the correct direction to drive. Another service is getting driving directions. While travelling to an unknown location, an aid that gives you directions where to drive can be a useful service. Such service would need a somewhat accurate position, especially in urban areas, to be able to determine the exact road. In a rural area where the number or roads are fewer, the position can be allowed to be less accurate. Also services as broadcasting out warnings about traffic jams can be useful. Especially if the message will include how far ahead from you it is, and provides you with an alternative route.
2.3
Fleet management
A very sought for service by companies is fleet management. Taxi companies would be able to keep track of where their cars are located, to assign new orders to the closest available car. Truck companies would be able to see when a shipment is about to arrive at the destination, and can alert the receiver to stand by if needed. Sales companies can see where their salesmen are. The list can be made long.
2.4
Personal services
When being in a new town its not always easy to find the facilities and services one needs. Be it a restaurant or a post office, receiving directions to the closest one would prove very helpful. By letting the user request for the service, the operator can find his location and match it against their database to find the closest place. A common use for mobile phones today is to try and find where friends are in order to meet them. This requires a lot of phone calls or, especially among young people, a lot of text messages sent back and forth. Instead the user could enter the phone number of the person he wants to find, and as result gets an address or an answer similar to Person is located 100 m east of you.
2.5
Personal privacy
An important issue to consider when dealing with positioning services is the personal privacy. By enabling the mobile devices to be located, does that mean they are turned into homing beacons which will allow Big Brother to keep an eye on you wherever you go? How far can we go before breaking the personal integrity? It must be up to the users when and where their devices can be positioned. The users should be able to set up rules, perhaps even on a personal basis. Maybe I dont want my mother to see where I am late a Friday night, but my friend who I am meeting should be able to locate me. Another issue is the law enforcement. Being able to locate a suspect would give great aid to the police. But people would argue that locating someones mobile device could be compared with tapping a phone line, and therefore a warrant should be needed before performing the positioning. Two different scenarios of being located can be seen; either the user requests to be located or its the system trying to locate the user. If these two scenarios are treated differently perhaps the users will turn off the functionality to be located by the system. That would restrict the commercial values of the systems, since functions such as targeted ads will no longer work properly. Neither would requests from the law enforcement do. But if they are not treated differently, the users will loose some possibilities to set their personal preferences. Between all these issues a compromise must be found. If the users trust the operator, then the operator could set up general rules. For example allowing the emergency call centres to locate a person even if that person has blocked all normal requests.
3. The GSM System

3.1 Introduction
The first mobile systems hit the market in the early 80s. NMT-450 (Nordic Mobile Telephony) was the first out, followed by AMPS (American Mobile Phone System), both analogue systems. Soon it became clear that the analogue systems werent expandable enough to hold future growth, and in the mid 80s work began to develop a second, digital, generation mobile system that later would be known as the Global System for Mobile communications (GSM). When the GSM system officially launched in 1992 in a few different European countries it immediately became a success, by the end of 1993 there were more than one million subscribers. And it keeps growing. By 1995 there were 12 million users in 86 different countries. In June 2001 there were more than 550 million subscribers in 151 countries, with a forecast of over 1400 million subscribers by the end of 2005 [12,13].
Figure 1 - World GSM subscriptions. Diagram taken from GSM World.
The development of the GSM system is today driven by ETSI, the European Telecommunications Standards Institute. The specifications define the different units in the network by defining their functions and interfaces, ranging from the radio interface between the senders and receivers to how a text message should be constructed. Today work is underway on a third generation of mobile systems, developing along with modifications of the second generation. These modifications are called generation 2.5, and an example is the GPRS (General Packet Radio Service).
3.2
Network architecture
The GSM architecture consists of several different units, and can be divided into 3 main parts: 6
The Mobile Station (MS) The Base Station System (BSS) The Switching System Positioning of a cellular phone using the SIM
Figure 2 - GSM system overview
3.2.1 Mobile Station (MS) The Mobile Station is the only part of the GSM system that the users usually ever see, its the phone carried by the user to place and receive calls. The MS consists of two different entities: the mobile equipment (ME) and the Subscriber Identity Module (SIM) card. The ME is the hardware enabling radio communication with the network. It is identified by its International Mobile Equipment Identity (IMEI), but is anonymous in the sense that it is not tied to any particular subscriber. It is the SIM card that identifies the subscriber in the network and keeps information necessary for the ME to use the network. 3.2.2 Base Station System (BSS) The Base Station System connects the MS to the network, and is in charge of the transmission and reception. The BSS can be divided into the Base Transceiver Station (BTS) and the Base Station Controller (BSC). Its the BTS that handles the communication between the MS and the network, and consists of radio equipment and antennas to serve a small area, a so-called cell (see below). The BSC controls and supervises a group of underlying BTSs. While the BTS handles the actual radio communication, the BSC controls all taken actions such as transmitting power, when and what to transmit etc. 3.2.3 Switching System The switching system has as the main role to manage the communications between the mobile users and other users, such as mobile users or fixed telephony users on the Public Switched Telephony Network (PSTN). The switching system also includes the databases needed for subscriber data and mobility management. These units are described below. Mobile services Switching Centre (MSC) The MSC performs the switching functions within the network, and sets up, supervises and releases calls. It can connect calls in the GSM network, or between the GSM network and another networks when necessary.
Gateway Mobile services Switching Centre (GMSC) The GMSC connects and acts as a gateway between the GSM network and the PSTN. The GMSC is responsible for finding in which part of the network the MS is located at by questioning HLR, and also for routing the call there. Home Location Registry (HLR) Operators have a global register containing information about all their subscribers to the network, HLR. The HLR also includes information about the subscribers current location and which MSC that serves the user at the moment. Visitor Location Registry (VLR) The VLR is a regional database, compared with HLR that is global, which is found together with every MSC. This register stores information about all subscribers that are registered in that MSC-area at the moment. When the HLR has provided GMSC with which MSC service area the subscriber is registered in, a more detailed description of which Location Area (LA) the MS will be found in can be obtained from the VLR. Authentication Centre (AUC) The AUC is used for security purposes. It manages data for the authentication of subscribers and encryption. All MSs can be asked to go through an authentication process before allowed access to the network. Equipment Identity Register (EIR) The EIR is also used for security purposes but for hardware issues instead of subscribers. By storing information about valid ME, the IMEI, it can verify that the equipment is approved, not stolen, etc. 3.2.4 Geographical areas Every telephone network needs a structure in order to route the calls to the right entities. This is even more essential in a GSM network where the subscribers are mobile and move around the entire time. This structure is obtained by dividing the network into different levels of geographical areas. See Figure 3. The cells are the smallest geographical entities, each cell covered by one BTS. A cell can be of different sizes, from a radius of tens of kilometres in rural areas down to a radius to tens or hundreds of meters in an urban area. The maximum cell radius is defined to 35km, due to signalling issues.
Figure 3 - Geographical structure
A number of cells are grouped into a Location Area (LA), and a group of LAs defines the MSC/VLR service area (Mobile services Switching Centre/Visitor Location Register). Note that the divisions into LAs have nothing to do with which BSC the cells belong to. The top-level area is the Public Land Mobile Network (PLMN), which is a complete GSM network belonging to one network operator, and can contain one or several MSCs. Each country can have one or several PLMNs.
3.3
Radio interface
The theories of the radio and air interfaces are too vast to go into details in this report. A more detailed description can be found in [15] and [17] and the specifications. 3.3.1 Physical channels The GSM system is specified to use a limited frequency spectrum. With an available frequency band of 25 MHz2 its important to utilize the space as much as possible. To allow maximum usage of the system, a mixture of FDMA (Frequency Division Multiple Access) and TDMA (Time Division Multiple Access) techniques is used. Each frequency band is divided into 124 carrier frequencies, separated by a 200 kHz spacing, using FDMA. Each of these carriers is subdivided into 8 timeslots, using TDMA. A physical channel is defined as one time slot on one carrier, and can carry one burst of information. A burst is a formatted sequence of bits that lasts 0.577ms.
890-915 MHz uplink and 935-960 MHz downlink
3.3.2 Logical channels When communicating, the BTS and MS share many different types of information. Each different type of information is structured into logical channels, where a logical channel is a specific type of information carried by a physical channel. Traffic CHannel (TCH). The TCHs is used to carry speech or data traffic. Broadcast Control CHannel (BCCH). Gives the MS necessary parameters needed to identify and access the network. The information supplied could be the frequencies of neighbour cells for the MS to monitor, Location Area Identity (LAI), etc. Synchronization CHannel (SCH). Gives the training sequence needed in order for the MS to demodulate the information transmitted by the BTS. SCH also contains the Base Station Identity Code (BSIC), which allows the MS to identify its listening to the correct frequency and PLMN. Frequency Correction CHannel (FCCH). Supplies the MS with the frequency reference3 of the system, in order for the MS to synchronize with the network. Paging CHannel (PCH). Used to alert the MS of an incoming call or Short Message (SM). Random Access CHannel (RACH). Used by the MS to request access to the network Access Grant CHannel (AGCH). Used by the BTS to acknowledge a RACH. The MS will also be assigned a signalling channel (SDCCH) to use for its reason for the access. Standalone Dedicated Control CHannel (SDCCH). The channel on which the actual signalling takes place. Slow Associated Control CHannel (SACCH). Used for channel maintenance and channel control. Fast Associated Control CHannel (FACCH). Used when urgent signalling information must be transmitted.
3.3.3 Radio signalling issues Since the GSM system uses a radio interface to communicate between the BTSs and MSs, there will be different problems that might lower the quality of the signals. These problems might also affect different location schemes. Some of the methods use time measurements to calculate the position, if its an erroneous signal the calculations might go wrong. The following issues are among the most common.
The frequency reference is a transmitted pure sine wave
10
Path loss Signal attenuation, or path loss, will cause the radio signal to become weaker the further distance it has traversed. This can be a problem, making it difficult to obtain strong enough signal strength. But its also the principle on which the cellular technology is built. Since the signal eventually will be too weak to receive, the frequency can be re-used if the distance between the BTSs is long enough. Shadowing and multi-path fading In many cases its not possible to have a line of sight between the MS and BTS, such as in an urban area with a lot of tall buildings. The obstacles will then cause shadowing, which results in variations in signal strength as the MS moves around. When no line of sight is possible, reflected signals will be used instead. Normally the MS will not receive one but several reflected signals, and the resulting signal might be stronger or weaker than the individual signals. Since the reflected signals will have different traversing times they will be slightly out of phase. If there is no, or almost no phase difference, the resulting signal may have better signal strength. But if the phase difference is close to 180 degrees the signals might cancel each other out. This phenomenon is called multi-path, or Rayleigh, fading. Time dispersion When moving in an open area with very large reflecting objects, such as mountains, time dispersion might be present. If the radio signals are reflected the MS might not only receive the signals directly from the BTS, but also a fairly strong reflection from the reflector. This will cause an interference of the signals. The bit stream from the direct signal may arrive several bit-times earlier than the reflected bits. This effect, caused by the time dispersion, is called Inter Symbol Interference. This is mainly a concern in rural areas. Static noise All radio communications are affected by noise in the transmissions, the static noise. It can be general background noise, atmospheric disturbances such as lightning or man-made causes like engine ignition. 3.3.4 Timing Advance In the TDMA scheme its important that the information is sent and received in the designated timeslots. If the sender is far away from the receiver the signal will be delayed as it traverses through the air. With a too large time difference between the intended arrival time and the actual arrival time, the signal will be out of synchronisation and the receiver not able to decode the signal.
11
To deal with this, a concept called Timing Advance is used. In all frames the MS transmits, there is a sequence called training sequence. Using this training sequence the BTS can measure the degree of synchronisation between the MS and BTS, and send the calculated Timing Advance value back to the MS telling how much delay the MS should use when transmitting new signals. GSM 05.10 [9] defines the Timing Advance value to be coded between 0 and 63, and corresponding time values between 0 and 233 s. With a maximum cell radius of 35km, each increment of the value corresponds to a distance of approximately 550m.
3.4
SIM card
As described above the MS consists of two entities: The ME and the SIM card. Whereas the ME handles the radio communication, its the SIM card that provides all user subscription information and personalisation. Without the SIM card the ME cant log onto the system, and simply put the ME is just a nonoperational mechanical device.4 Since the SIM card holds all user information, its not tied to a specific ME but can be used in any ME and the owner of the SIM will be charged for the calls, not the owner of the ME. The SIM cards contain three different types of information thats related to the user. The first type is information that is stored by the operator and cant be changed, such as the International Mobile Subscriber Identity (IMSI) and the authentication key Ki. The IMSI identifies the subscriber within the GSM network, and the Ki is used for security purposes. The second type of information is temporary stored information, such as network information that changes over time. Examples of this are the Temporary Mobile Subscriber Identity (TMSI) or Location Area Identity (LAI). The TMSI is sometimes used instead of the IMSI to identify the user in the network, to increase security against actions such as monitoring of certain IMSI. The LAI identifies which LA the subscriber currently is registered in. The last type of information is service-related and can be language preferences, phonebook, short messages, call log and so on. To enhance the functionality of the SIM card it can be programmed with SIM Application Toolkit commands, which enables the card to interact with the ME. 3.4.1 Security Another important role that the SIM card holds, besides the user information, is the security function. The SIM card contains two different kinds of security types. The first kind is to protect the card for unauthorized use. The subscriber has a Personal Identification Number (PIN) code to be authenticated as the correct user.
One exception exists where the ME can place calls without a SIM card; emergency calls.
12
The second type is used for security over the radio path. To prevent the radio traffic from being intercepted by a third party, the traffic needs to be encrypted. For this reason the SIM card holds a secret parameter called Ki (also stored in the AUC), which is the subscriber authentication key. The secrecy of Ki is the cornerstone of the security mechanism. The key is stored on the SIM in such manner that it cant be written to, and only read during the security authentication process. Since the secrecy of Ki is important its never actually used on the network. Instead Ki is used to calculate a temporary cipher key, Kc, which is used to encrypt and decrypt the signals, see Figure 4.
Figure 4 - Authentication and Kc computation
Authentication When the MS tries to connect to the GSM network, the AUC starts a mechanism to challenge the MS to see if its authorized to access the network. The AUC creates a random number, RAND, and sends it to the MS. The MS uses the RAND in combination with its secret Ki to compute a response, SRES, and sends it back to the AUC. The AUC in its turn makes the same computation, since it too has access to the Ki. The two SRESs are compared, and if they are equal the MS is authenticated to use the network. The RAND is also used to compute the temporary cipher key Kc, but with different algorithms than for the SRES computation.
13
3.4.2 SIM Application Toolkit To provide value-added services to the GSM phone, ETSI has specified the SIM Application Toolkit (SAT) commands [10, 11]. SAT provides mechanisms for the SIM card to issue commands to the ME, and can be triggered by different events such as incoming Short Messages (SM) or user initiated selections. By default the SIM card cant perform anything more than provide information to the ME when requested. But the SAT commands give the SIM card ability to interact and control the ME. It can change the menu system, interact with the user, set up calls or messages, update services, and so on. This provides a very powerful base on which applications may be built and stored on the SIM card. The SAT commands can also utilize the security functions in the SIM. By asking the user for the PIN code and then encrypt the data being sent, advanced secure application can be created which is a requirement when developing services like banking-services. The specification has defined a number of different mechanisms, of which Data Download to SIM and Proactive SIM are most important for this work. Data Download to SIM The Data Download mechanism allows data, or SAT commands, to be sent to the ME and downloaded onto the SIM card. As transportation of the data a normal SM can be used, without notification to the subscriber. This gives the operators the possibility to modify information on the SIM card if needed, such as subscription information. It also gives the possibility to download and store an application on the SIM card, or send SAT commands for execution. Proactive SIM This mechanism gives the SIM card ability to initiate actions to be taken by the ME. These commands include most part of what the users will notice of the SAT, such as display text, and are called proactive commands. The communication between the ME and the SIM card is defined in GSM 11.11 [10], where the ME always acts as server and initiates commands to the SIM card. Therefore there are no mechanisms for the SIM card to initiate communication with the ME. With the proactive mechanism, the ME asks the SIM card if there are any commands it should execute, and after executing any command the result is returned back to the SIM card. The direction of the communication, ME to SIM, has an important impact: it is the ME that decides which SAT commands can be used. For example, an old ME have no way of knowing about a newly developed SAT command and hence cant use it even if the SIM card can. Today the manufacturers work to make their products more and more compliant with the specifications, but many older products, and even new products, dont support all commands defined in the specifications.
14
An important proactive command for this work is the command Provide Local Information. This command allows the SIM card to question the ME for its network parameters. The information includes: Location information; Mobile Country Code (MCC), Mobile Network Code (MNC), LAI and cell ID of the serving cell. The International Mobile Equipment Identity (IMEI) of the ME Network Measurement Result (NMR) and BCCH channel list Current time, date and time zone Current language setting in the ME The Timing Advance (TA)
A short description of more proactive commands can be found in Appendix B, and a more comprehensive description in GSM 11.14 [11]. 3.4.3 Micro browser Another way to use SAT commands is to use a micro browser. The micro browser is a SAT application stored on the SIM card. Depending on the developer of the browser it will have different features, but basically it can be compared with a normal Internet browser such as Microsoft Internet Explorer. The browser builds up a menu structure where the different menu items can be seen as bookmarks, as used in normal Internet browsers, and typically points to an instruction stored on the SIM card. After selecting the wanted instruction, the browser converts the instruction into a SAT command and executes it. Depending on the application and command, the result could be hidden, displayed or used for further processing. In order for the ME to use the browser the ME needs to be SAT class 2 compliant. As stated above not all products can utilize all SAT commands, but all new handsets are today compliant enough to use a micro browser, and the number of micro browser enabled handsets is expected grow rapidly, see Figure 5 [19]. Wireless Internet Browser (WIB) is a micro browser originally developed by Across Wireless5, but is now an open standard for any SIM card manufacturer to use. The WIB has today grown into becoming the de facto standard for micro browsers, and due to the open standard many SIM card manufacturers implement the WIB on their cards. The WIB will be discussed more in detail in section 6.1.
Now Across Wireless is part of SmartTrust AB
15
Figure 5 - Global cellular subscribers and installed base of micro browser enabled handsets. Diagram taken from SmartTrust.
3.5
Short Message Service
The GSM specifications include definitions of sending alphanumeric messages through the network, both to and from the ME. The Short Messages (SM)6 can carry up to 140 bytes of information, which makes it possible to send up to 160 characters with the Latin alphabet and 70 when a Unicode alphabet is used, such as Arabic or Chinese. From the beginning the operators saw SMS as nothing more than an extra feature in their network. But as the development continued the SMS turned into one of the features generating most revenue for the operators. In May 2001 almost 19 billion SM were sent world wide [14], and the number increases each month as new services are introduced. In order for the system to be able to handle SM, a few entities in the GSM network have to be modified. Besides modifications in the GMSC, MSC and MS to make them handle SM, a Short Message Service Center (SMSC) has to be added in the switching system, see Figure 6.
In daily talk SM is often referred to as SMS, which shouldnt be confused with the service supplied by the operator.
16
Figure 6 - GSM network enabled for SM
The SMSC receives and relays messages to and from the MSs, and sends a report of the result to the originator of the SM. The system is designed to be reliable and the SMSC can store the SM in case of a failure, and reattempt the delivery at a later point. An important feature of the SMS is its ability to use the 140 bytes as carrier for data instead of text. This is utilized by the data download mechanism of SAT, as mentioned above.
17
4. Obtaining the position

The operators face a range of different methods to use when implementing positioning services. These methods include Cell Of Origin (COO), which today is the only working method with existing network and handsets, Timing Advance (TA), Enhanced Observed Time Difference (E-OTD), Time of Arrival (TOA), Angle of Arrival (AOA) and Global Positioning System (GPS). The European Telecommunications Standards Institute (ETSI) has issued a Technical Specification where they handle four different methods to use in addition to COO: TA, TOA, E-OTD and GPS [7]. The different methods to obtain a position, described below, can be divided into four categories, depending on where the information is gathered and calculated. Network based Network based, MS assisted Network assisted, MS based MS based
The first category relies solely on the network. It can derive the needed information without involving the handsets. COO and TA are in this category. Network based, MS assisted methods are the most common. The important calculations are done within the network but some information is needed from the MS, such as receiving the signal from the MS to measure a time value. The network assisted, MS based methods are actually network based in spite of the label. They are mostly executed in the network, but the final calculations may be made in the MS. The difference between this and the network based, MS assisted methods could be where the method was initialised. E-OTD, for example, can be of both types. If its the subscriber himself who wants the result of the position, then the calculation can be done in the MS and presented on the display. But if its the system that tries to fix the position of a subscriber, then the calculation could be done within the network once needed information is obtained from the MS. MS based methods are whats interesting for this thesis, and needs no information from the network other than what exists in the MS. As well as with network based methods, COO and TA are of this type, along with the Network Measurement Result (NMR). GPS also belongs to this category, however not interesting for this thesis but is included for comparison.
18
4.1
Cell Of Origin (COO)
COO is the simplest and cheapest method to use since it requires no changes in handsets or network, and is already being used by the operators. The method uses the cell area in which the mobile station is registered. By identifying the cell-ID of serving cell, the corresponding Base Transceiver Station (BTS) can be found. The BTS has a fix position and known properties, such as signal strength, and an area around the BTS can be calculated in which the handset should be located to receive signals in this cell. This method is fairly inaccurate. The area calculated around the BTS is based on transmitted signal strength and known signal attenuation, which would give a radius around the BTS. Thus this method depends upon the network cell size, which can vary from 150m in an urban area up to 30,000m in a rural area. So for some services this method might be accurate enough in an urban area, such as getting the address to a postal office in the vicinity, but far from acceptable in a rural area. As mentioned above, COO is of both the types network based and MS based. The cell-ID is stored both in the network and the MS, and the method is already in use through the network. With help of the SAT command Provide Local Information the SIM card can obtain the cell-ID from the ME. This makes it possible to execute this method solely on information accessible from the MS. It should also be noted that due to signalling issues, such as multi-path effects, the strongest signal doesnt have to come from the closest BTS.
Figure 7a - Cell Of Origin
b - Cell Of Origin + Timing Advanced
4.2
Timing Advance (TA)
A way to improve COO is to enhance the method using the Timing Advance value, (TA). As described in section 3.3.4, TA is used to synchronize the signals between the MS and the BTS. The TA is 6-bit information, defined in GSM 05.10 [9] to be 0 when no TA is available and 63 to be the maximum. With a maximum radius of 35km, each increment of the TA value corresponds to a distance of about 550m. I.e. a TA value of 0 means the MS is between 0 and 550m away from the BTS, a value of 5 means between 2750 and 3300m away.
19
By using the TA value, in addition to the COO, the circle around the BTS will be narrowed down to an approximate 550m wide arc. In a rural area where the cell size can be up to 35km in radius this will show an improvement over plain COO. But in urban area it might not provide much improvement, since many cells have a size smaller than 550m. In such cells the TA would never be assigned a value higher than zero, since it would define a distance longer than the cell size. As with COO, the TA value is stored in both the network and the MS, and can be retrieved at both positions. Thus this method can be executed both through network and from an application stored on the SIM card. However, whereas most handsets support the command to fetch the cell-ID, not all support the request for the TA value. All though the command is defined in the GSM specifications, its classed as not mandatory and some manufacturers do not implement it yet.
4.3
Time Of Arrival (TOA)
TOA works by measuring signals sent from the MS to three or more BTSs. By sending a known signal the BTS can receive the signal and hand it over to a Location Measurement Unit (LMU). The LMU measures the time it took for the signal to travel between the MS and the BTS, the TOA value. These values can be used to calculate a circle around the BTS, since the propagation time of the radio wave is directly proportional to its traversed distance. Calculating where the circles from three different BTSs intersect will give the proximate location of the MS.
Figure 8 - Time Of Arrival
The precision of the clocks in the LMUs is important for this method; one microsecond timing error would result in a 300m error of the position. To synchronize the clocks, the LMUs are equipped with GPS time. This method needs extensive changes in the network before it can be used. Each BTS needs to be equipped with, or connected to a LMU in order to measure the time. Since this method builds on signals sent from the MS out to the network, it can only be executed in the network and belongs to the category network based, MS assisted. Due to the changes needed its not possible to implement as of today.
20
4.3.1 Time Difference of Arrival (TDOA) TDOA is a variation of the TOA, and can be used if the time the signal was sent isnt known or not accurate. Instead of using absolute time measurements, as TOA, this method rather uses difference measurements. The LMU at the BTS marks the time when the signal arrived from the MS, d1, see Figure 9. This value is compared against when the signal arrived to another BTS, d2. The difference between the two arrival times, d1-d2, is called the TDOA value. A curve is calculated along the line where the TDOA value is constant, a hyperbola. By using two pairs of BTSs, at least three BTSs, two hyperbolas can be calculated and an intersection found where the MS is located. As with TOA, this method can only be executed in the network and not possible to implement today.
Figure 9 - Hyberbolic curves
4.4
Enhanced Observed Time Difference (E-OTD)
This method works in a similar way to the TDOA described above, but in the other direction. Instead of the network measuring signals from the MS, in EOTD its the MS measuring signals from the network. By observing when a signal arrives from a BTS the MS can calculate the difference between the arrival times from two different BTSs, the observed time difference (OTD). As in TDOA the OTD is used to calculate a hyperbola where the OTD is constant to the two BTSs. At least two distinct pairs of BTSs are needed to calculate an intersection, thus minimum of three BTSs. Since the time measurements are done in the MS, just the OTD is not enough to get an accurate value. The real time difference (RTD), the difference between when the two signals were sent, is needed as well. To calculate the hyperbolas the geometric time difference (GTD) is used, where GTD is defines as: GTD = OTD RTD. To measure the RTDs, the signal bursts has to be received not only by the MS but also by a LMU. The LMU has a known position, and therefore have a known distance to all BTSs. When the LMU receives the signal bursts it can calculate the RTD with help of the known distances.
21
Compared with TOA, where a LMU is needed at every BTS, this method is expected to require a LMU at every third to fifth BTS [7]. This would make EOTD less expensive to implement. Two different versions of this method can be seen. The first is a network based, MS-assisted version of E-OTD. When the MS has measured the signals, it sends them out onto the network again for the calculations. The second is a network assisted. MS based version, where more information is sent to the MS so it can perform the calculations. In both cases changes are needed on what exists today. Besides the LMUs, changes in the handsets may be needed so they can recognize the signals and measure them. An interesting note about the E-OTD method is if the GSM network would be synchronized, i.e. all BTSs transmit their bursts at the exact same time. This means the RTD would be zero, hence no need to measure the time differences in the network. If the network could provide the MS with all necessary information along with the bursts, the actually calculations could be done solely in the handset. To synchronize the network, however, the BTSs would need to be equipped with very precise clocks.
4.5
Angle Of Arrival (AOA)
If the angle in which the signal from the MS arrives to the BTS can be measured, a line can be drawn from the BTS using this angle. By measuring the angle at two or more different BTSs an intersection of the lines can be calculated where the MS would be located.
Figure 10 - Angle Of Arrival
An advantage of this method is that only two BTSs are required to find an intersection, which can be useful in remote and rural areas. The main disadvantage is the need of complex antennas to measure the angle. Each BTS has to be equipped with an array of antennas, usually between four and 12, with a spacing of less than one wavelength. Or equipped with smart directional antennas. Both types are expensive and not commonly used on the market. This method is executed in the network, and the expensive changes needed make it unlikely to be widely implemented in a near future.
22
4.6
Network Measurement Result (NMR)
A method normally not discussed is to use a piece of information called the Network Measurement Result (NMR) information, which is available only in the MS. When a user moves around in the GSM network, its unavoidable to change between different geographical areas. To know which cell the MS should communicate with, the ME constantly listens to the signals sent out from the different BTSs. The signals are measured and at certain threshold values of the signal strengths the ME will decide it needs to change its serving cell, and initiate a so-called handover procedure. To measure the different signals, the ME stores information about the currently serving cell, as well as up to six other cells of which it has received the strongest signals, called neighbour cells. This information is the Network Measurement Result (NMR). The NMR contains three different types of information thats interesting for this report about the neighbour cells: the Base transceiver Station Identity Code (BSIC), BCCH frequency and received signal strength. More details about the NMR can be read in GSM 04.18 [8]. The information about these neighbour cells can be used during a positioning method. If the received signal strength could be relied on, the values could be used to calculate a circle around the neighbour cell on which the phone should be located. But due to too many issues, like signal shadowing or dispersion, the values cant be trusted. Instead the values can be used to make a calculated guess about the distance to the neighbour cell. With enough calculated guesses, an estimation of where the cell could be located in relation to the serving cell can be made. This wouldnt give an exact location of the phone, but would limit the area in which it might be located.
Figure 11 COO enhanced with calculated estimation from neighbour cells
Figure 11 exemplifies the difference between with and without using the NMR. The left example uses only COO, and gets a circle as result with a radius depending on the BTS transmitted signal strength. In the right example, the NMR is used to find 4 neighbour cells and a couple of guesses can be made.
23
There are no neighbour cells located west of the serving cell. Hence its sound to make the assumption that there is a possibility the phone is located east of the serving cell. The example also assumes that the received signal strength from the two northern neighbour cells are stronger than from the southern. Hence a possibility the phone is located north of the serving cell.
The result would be an estimation that the phone could be located northeast of the serving cell, and the original full circle can be narrowed down in size. I emphasize that it is only guesses, since a risk exists the signal values doesnt reflect the truth. For example, the phone in the example may actually be located much closer to the southern neighbour cells, but a very tall structure between the cells and the phone weakens the signals considerable. The NMR information exists only in the MS and hence can only be executed through an MS based method. Means to obtain the NMR are declared in the GSM specifications, however not all handsets support the needed commands. Due to the nature of radio signals a positioning scheme cant rely solely on the NMR, but should be used in conjunction with another method.
4.7
Global Positioning System (GPS)
GPS is the most widely used system for positioning. Its also the most accurate, with accuracy down to about 10m in best cases [16]. The system relies on a network of 24 satellites circling the Earth, NAVigation Satellites with Time And Ranging (NAVSTAR), established by the U.S Department of Defence in the late 70s. Today the U.S. military operates the system, but anyone with a GPS receiver can decode the satellite signals and use the system. The satellites orbit the earth twice each day in such manner that between five and eight satellites are visible from any point on earth at all times. To calculate the position, the receiver needs two kinds of values: the position of three satellites (four satellites are needed when positioning in four dimensions X, Y, Z, and Time) and the distance between the GPS receiver and respective satellite. In order to know where the satellites are located the GPS receiver picks up two types of information from the satellites. The first type is called almanac which contains information about the satellites orbit and tells the approximate location of the satellite. This information is updated periodically in the satellite as it moves around. The satellite continuously sends out the almanac, and the GPS receiver stores this information in the memory to know the orbits of the satellites and keep track where they are located. The second type of information is called ephemeris. Any satellite can travel slightly out of its planned orbit. To compensate for this, ground monitors keep track of the satellites orbit, altitude, location and speed, and send the corrected data to the satellites. This data, the ephemeris data, is valid four to six hours and in combination with the almanac will allow the GPS receiver to know the exact position of the satellite.
24
To obtain the distance to the satellites, the GPS method uses an approach based on the TOA principle. The signal from the satellites contains information about when it was sent, which allow the GPS receiver to measure the time it took for the signal to travel between the satellite and the receiver. This value is multiplied with the speed of light to calculate the distance to the satellite, by the formula Velocity * Travel Time = Distance. When the position of the satellites and the distances are known, the location of the receiver can be calculated through triangulation. There are a number of sources for errors in the GPS system. One of the most common is the fact that the satellites transmits their signals at very low power, usually 50 watts or below, compared with local radio stations that use around 100,000 watts. This means that the signals are easily distorted and obstacles like buildings and high terrain will lower the accuracy notably. To get best result the receiver needs a line of sight to the used satellites, so obtaining the position indoors is usually impossible. Another problem is the timing factor. The satellites are equipped with an atomic clock that keeps a very accurate time. But the receivers, who cant be equipped with an atomic clock for practical reasons, might have slight timing errors where one millisecond is enough to generate a 300km error. To overcome this problem its possible to add a fourth satellite in the calculations. Even with timing error the first three satellites will give an intersection where the possible location is, however inaccurate. When adding the fourth satellite it will show that all four cant intersect in the same place, which tells there is a timing error. By slightly changing the receivers time, its possible to find the exact time where all four satellites will intersect, thus the correct time has been calculated. However, this method is time consuming. The procedure has to be done over and over again, to make sure the time in the receiver is correct at all times. 4.7.1 Assisted GPS (A-GPS) To enable an MS for GPS, a receiver chipset has to be embedded into the MS. In addition to the expense of embedding the GPS receiver, there exist a few other problems as well. The start-up time is relative long, from 30 seconds up to a few minutes, due to long acquisition time of navigation information from the satellites. Second, indoor and urban canyon environments, as well as small sized cellular antennas, will prevent detecting weak signals. Third, the power consumption is high. To deal with these problems Assisted GPS (A-GPS) was proposed. A-GPS also has the ability to improve some of the general GPS problems such as timing errors mentioned above. A-GPS is based on a method for the GPS system called Differential GPS, and the main idea is to provide a reference network whose receivers are located at known positions, have clear views of the sky and can operate continuously. By measuring their position using the satellites and comparing that measured position with the known exact position, the reference receivers can determine errors in the satellites signals. At request the receivers can provide more accurate data such as ephemeris data and clock correction. They can also provide which satellites are visible in the area.
25
Figure 12 - Assisted GPS. Picture taken from the GSM specifications.
This system results in a number of advantages. At request the reference network sends a list of available satellites viewable by the GPS receiver in the MS, and other data that assists the receiver. This will allow the receiver to lower the start-up time and also increase the sensor sensitivity, since it no longer has to search for the signals. The shorter start-up time reduces the power consumption and will allow quicker calculations. The increased sensitivity allows the receiver to detect weaker signals, even in some occasions detect the signals indoors. Since the reference network can provide clock correction, the receiver doesnt have to use time-consuming calculations to obtain a synchronized time. Instead it simply hands over its time references and lets the network calculate the correct time difference. The corrected data in the network will also aid in calculating a more accurate position. This method is expected to provide the highest accuracy. But besides the GSP receiver chip in the MS, the GSM network will also need to be updated with the reference network.
4.8
Conclusion
Of the different methods suggested, only three are possible to use when utilizing information from the MS only; COO, TA and NMR, see Table 1. A GPS-enabled handset would also make it possible to implement the positioning solely in the handset. However handsets with an embedded GPS chip is both very rare and very expensive today. And to use A-GPS, which would be preferable, it would still need to use the network.
Table 1 Summary of positioning methods
Method COO
Execution Handset / Network
Advantages High availability Only need contact with one BTS No changes needed
Disadvantages Low accuracy
26
COO+TA Handset / Network
High availability Only need contact with one BTS No changes needed Better accuracy than COO alone
Not all handsets support TA yet. Low accuracy
TOA TDOA E-OTD
Network Network Handset + Network Network Handset
No changes needed in the handsets No changes needed in the handsets Less expensive changes, one LMU at every third BTS Only need contact with two BTSs High availability No changes needed Can improve results from other methods High accuracy No changes in the network High accuracy
Expensive changes, one LMU at each BTS Expensive changes, one LMU at each BTS Needs changes in both network and handsets Complex and expensive changes Not all handsets support NMR yet Only provides calculated guesses Cant be used alone Very low availability indoor Expensive handsets Low availability indoor Expensive handsets Needs changes in the network
AOA NMR
GPS
Handset
A-GPS
Handset + Network
27
5. Handset vs. network based positioning

When comparing the network and MS based methods, its important to understand the difference in available information. In an MS based method the information is restricted to whats stored in the handset, which is information about the current network situation. The network, on the other hand, has a greater variety of information, or at least the potential to provide more information. The network based methods has some strong advantages over the MS based. The most distinct difference is the available methods and their accuracy level. With existing technology, network and MS based methods can today provide the same level of accuracy. But as new technologies are developed and the network gets upgraded, the MS based methods will most likely not be able to provide as high accuracy. The only method that would be able to match in accuracy is GPS. Both an advantage and a disadvantage of network based methods is that they are strongly tied to the operators. A developer cant access any information from the network without the approval and cooperation from the operator. The advantage is that since the service must be done with the cooperation of the operator, all information can be provided, and any eventual upgrades in the network can be utilized. An MS based method gives the possibility to obtain information from the MS without the operators help. However, a lot of the information needed to calculate the position, such as the coordinates of the BTSs, is considered company confidential. So the operators cooperation is still needed. An advantage of MS based methods is the shorter response time. Since no measurements are needed from the network, a quicker execution can be obtained. But this advantage can be lost if the network has a high latency. On an application level the MS based methods has some advantages over the network methods. If the method is executed in the handset, its easy to interact with the subscriber. For example, if a user is trying to find a pizzeria in the vicinity and many results are found, the subscriber could be questioned if he would prefer a cheaper place or one with better consumer ratings. In the case of the system trying to get the position of a subscriber, the subscriber could be asked depending on the occasion if he allows the system to positioning him. Another advantage is the possibility to utilize the security functions in the SIM card. In the example above, the user may find a pizzeria and orders the desired pizza. To be able to pick the pizza up directly when arriving, he chooses to pay the pizza in advance using his credit card. By encrypting the data, using algorithms on the SIM card, the user can safely enter his credit card information, and sign the transaction with his Personal Identity Number (PIN). It would also be feasible to set up personal rules on the SIM card, which overrides the general rules in the network. Before execution the method first checks these rules whether or not its allowed to execute in this particular occasion. This would provide an easy way to personalize the services and improve the personal integrity.
28
These advantages on the application level are in most cases harder to provide, if at all, in a network based method. As mentioned above, the network based methods will eventually provide a higher degree of accuracy. However since they need more complex methods to calculate the position, they will in many cases have a lower availability. What will happen in the future is a mixture of different methods, hybrids. For instance, if the handset is equipped with a GPS receiver, a mixture of A-GPS and OCC+TA could be used. A-GPS when the user is in open areas and OCC+TA when indoors, or to assist A-GPS while in urban canyons. By mixture the network and MS based methods, the interaction with the subscriber will also be retained.
29
6. SmartTrust products
6.1 System overview
SmartTrust provides solutions for the mobile market, where the operators can gain in security and management of their systems. One of the products is the Delivery Platform (DP), which combines SM, over-the-air management, SAT and WAP technologies.
Figure 13 - Delivery Platform overview
The DP can provide a complete solution for wireless application delivery. The Internet Gateway handles the channel between the Internet and the wireless device. The Service and Device Management provide control of the operator fleet of services and devices. The Messaging platform provides an SM flow to and from the wireless devices. And the security framework makes use of the security features in the SIM card to provide a base for wireless security. The security includes schemes based on both symmetrical and asymmetrical algorithms, where the asymmetrical algorithm is one of the cornerstones in Wireless Public Key Infrastructure. Important for this work is the Wireless Internet Gateway (WIG) and its feature to communicate with the Wireless Internet Browser (WIB) on the SIM card. In some extent this allows a non-WAP enabled handset to browse WML pages. It also gives the functionality to push WML scripts to the MS, with or without interaction from the subscriber. The DP resides at the operator in between their PLMN and other networks, such as the Internet.
30
6.2
Wireless Internet Gateway
The Internet Gateway module includes two ways for the mobile user to receive and view information. A WAP Gateway allows WAP enabled handsets to access WML pages in a normal way. The Wireless Internet Gateway (WIG) allows non-WAP capable handsets to access WML-based content, if they are equipped with a SAT based WML browser on the SIM card such as the Wireless Internet Browser (WIB), see below. The WIG acts, as the name suggests, as a gateway between the Internet and the wireless device. Towards the Internet the WIG acts as a client, while against the MS it acts as a server. An example case could be a subscriber who wishes to see a web page. The URL is sent as a request from the MS to the WIG. The WIG in its turn forwards the request onto the Internet. When the page is received, the WIG translates the page into a byte code thats interpretable by the WIB. The byte code is sent to the MS where the WIB translates it into SAT commands to show the result in the terminal display. During this session SMs will be used as transportation between the WIG and the MS. Another feature in the WIG is its push-mechanism. In the example above the session is subscriber-initialised. By using the push-mechanism a session can be started through the network without interaction with the subscriber. That means the WIB does not only work as a browser, it can also retrieve instructions initiated by the system. It could either be the operator wishing to update some information on the SIM card, or to display some text to the subscriber. A commercial aspect would be to push out localized advertising when the subscriber enters a certain area.
Figure 14 Wireless Internet Gateway principles
This push mechanism works by sending an SM containing a WML script, out to the MS. The SM is marked as Data Download and the information is sent to the WIB, which translates the WML script into SAT commands.
Masters Thesis in Computer Science 31
6.3
Wireless Internet Browser
The Wireless Internet Browser (WIB) is a menu-driven micro browser that resides on the SIM card. The menu can be seen as bookmarks, as in a normal Internet browser, and typically points to a WML-application stored on the SIM card, or an URL address on the Internet where the application is located. The WIB cant handle WML code directly, it requires a byte code representation of the WML. If the application is stored on the SIM card its already in the correct byte code. And if the page is fetched from the Internet, the WIG will handle the transformation between WML and byte code. The byte code in its turn is translated by the WIB into SAT commands to interact with the handsets interface. An advantage the application developer gets by using the WIB is the fact that it already exists on the SIM card. In normal cases its the operator who owns the SIM card. In order to place new applications on the SIM card, the developer needs permission from the operator. And normally adding a new application to a SIM card means replacing the card with a new card where the application is added at creation. By using the WIB the application can be stored on the SIM card after creation, or even be pushed out and executed by the WIB when needed. Another advantage with the WIB is its possibility to use plug-ins. After creation a normal SIM card cant alter its functionality. The WIB can handle plug-ins to extend its functionality to perform actions that are not standard. The plug-ins works in a similar manner to which a normal Internet browser uses plug-ins. By calling a specific function the WIB will know a plug-in is requested, and will pass the needed information to the corresponding application. In a normal Internet browser that can be compared to instead of using http://, which tells the browser a normal web page is requested, change the command to telnet://, which requests for a telnet session. Since telnet sessions are not part of the browsers normal functionality, it will need a plug-in to handle the session. An important plug-in is the function to call the SAT command Provide Local Information. By calling the function the application on the SIM card can get information from the ME such as the cell-ID or Network Measurement Result (NMR). This is utilized by the implemented demonstration to obtain necessary information from the MS in order to perform the positioning calculations.
32
7. Implemented demonstration
For this thesis a web-based service was chosen as the demonstration. A user should be able to enter the desired phone number on a web page, and as result a map would be returned. The operator is simulated in this demonstration. The WIG server is connected to one of Soneras7 SMSCs located in Finland, to be able to push the SMs out to the cell phone. Needed information to perform the positioning calculations was provided by an operator for this demonstration only, covering a small area around SmartTrusts office in Liljeholmen, Stockholm.
7.1
Positioning schemes
Of the different methods available to obtain the position, only three are suitable to use when utilizing the SIM card: COO, TA and NMR (see section 4.8). Even though they provide the lowest accuracy, COO and TA are the only methods used today when using network-based methods. As described in section 3.4.2 the SAT command Provide Local Information gives the SIM card ability to question the ME about its network information. This information includes necessary parameters to perform all three of the above methods. And through the WIB command wigProvideLocalInfo [20] the information is also available to applications executed on the SIM card. Thus all three methods are usable when building a positioning service utilizing a SIM card, if it has the WIB. For this demonstration, however, two setbacks occurred. First, no handset could be found that supports the command to question for the TA. Despite the specifications most handsets doesnt yet support this command. Second, in order to use the neighbour cells in a positioning method, their exact position must be known. This can be obtained by mapping their BSIC value and BCCH carrier to their cell ID, whose position is known. However, the NMR doesnt contain the actual BCCH carrier values. Instead all carrier values used in the area are stored in a BCCH channel list, and the NMR only contains references to this list. Thus both the NMR object and BCCH channel list are needed, but the channel list cant be retrieved from the WIB. Therefore only COO could be used for this demonstration. The TA and NMR methods will be left for future work to implement and test.
7.2
Programming language
To implement this web-based service Java Servlets, with complementing Java classes, was selected. The web platform consists of an Apache http server extended with a Tomcat Servlet engine.
Sonera is one of Finlands largest operators, and owner of SmartTrust.
33
Inside a servlet engine there exists two kinds of memory, the session and context memory. A session is based upon one window in one browser at a time, i.e. the session is unique for every browser that requests a servlet. The session memory can be used to store information needed in this particular session. The context memory, on the other hand, can be shared between all servlets within the same context and can be accessed from any session. These two kinds of memories are used in this demonstration in order to communicate between the functions user and calc (see Figure 16). More about the session and context memories can be read from Javas tutorial pages [18]. To push a message to a WIG server the HTTP protocol is used on top of the TCP/IP protocol. The message will be a XML script, which contains the WML script addressed to an MS. The XML script is based on the WAP Push Access Protocol [6] of which a subset is supported [21]. The WML script is based on a subset of the WML specification [20].
7.3
System structure
When constructing the system as a web-based service, two spaces are created: the operator space and the content provider space. This demonstration uses a solution where the content provider space is more active, and the operator plays a more passive role. In a live situation information about the GSM system is kept as strict company confidential. The operators in normal cases wont give out information such as the coordinates of the BTSs. Then a solution where the operator space is dominant is needed, see Figure 15.
Figure 15 - Operator dominant solution
The content provider hosts the web service that handles the information to and from the user. The function user will be in charge of the user interaction, and formatting the original request to a WML script, which is sent to the operator. When the response arrives it will use the information to make any desirable aesthetic formatting towards the user, such as connecting to a GIS server (Geographical Information System) to obtain a map representing the position. Inside the operator space the WIG will communicate with a Location Server (LS) upon receiving a response from the MS. The LS contains necessary information and algorithms to calculate the position.
34
This case will give the operator full control over the information. No information other than the calculated position will leave the operator space. Another possible situation is that the operator will supply the content provider with necessary information, in some extent. This would allow a more content provider dominant solution and the service wouldnt be as fixed to the operator. The main advantage with this case is the possibility for the content provider to make agreements with several operators to be part of the service. In the previous case only the subscribers of that single operator can make use of the service. As with the previous case the content provider hosts the function user with same functionality. The main difference is the LS that have been split into two new entities; a database db and a new function calc that will be in charge of the calculations, see Figure 16.
Figure 16 - Content provider dominant solution
When receiving a response from an MS the operator will forward the message, unprocessed, to the function calc. With the necessary information requested from db, calc will calculate the position and provide user with the result. Basically the usage of calc and db could be maintained in any combination, depending on how much information the operator is willing to provide. Hosting both calc and db in the same space would give them the same functionality as the LS, but the information wouldnt be kept strictly inside the operator space. In this demonstration the second case of solution has been used 7.3.1 WML script An important part of the system is the WML script sent to the WIB. Figure 17 shows an example of the WML script used for this demonstration. Both lines of the script use the go href element in the WML standard. The first line, however, use the character # to tell the WIB the plug-in wigProvideLocalInfo should be used. The WIB executes the command and stores the result in the variable loc [20].
35
<wml> <go href=http://www.smarttrust.com#wigProvideLocalInfo(00,loc)/> <go href=http://172.16.10.185/demo/servlet/MessageReceiver?LOC=$(loc)& session=hq4z7lk&counter=3/> <wml> Figure 17 - WML script requesting location information
In the second line the go href element is used as a normal HTTP request. It tells the WIG to relay the request to the servlet MessageReceiver, i.e. part of the function calc. The servlet will receive four different in-parameters. First the WIB will substitute the variable loc and send it as the parameter LOC. The session and counter parameters are set at creation of the script in the function user. Finally the MSISDN is automatically appended to the request as the string &MSISDN=xxxxxxxxxxxxx [22]. The session and counter parameter is used for error detection, and to make sure the response is given to the correct user. 7.3.2 User interaction function As described above, the function user handles the communications with the user, and consists of a group of Java servlets and classes. Figure 18 illustrates the functionality of the function user.
Figure 18 - Flowchart for function user
Upon receiving a request the MSISDN is controlled against the database db , see section 7.3.4, to verify that the service is allowed to obtain the position of the number. Then the necessary WML script is created, using information from the current session. After pushing the message to the WIG server, user enters a waiting state before checking if the result has arrived. If it hasnt it returns to the waiting state, until a timeout value is reached. During this waiting time the message is pushed to the MS, the response sent to the function calc where the position is calculated and finally the result is stored in the context memory. The context memory is used because it is shared between user and calc. When user can retrieve a result from the context memory it means the position is calculated. The result is used when creating the web page used as response to the user.
36
7.3.3 Calculation function When the WIG server receives the response from the MS, it forwards the unprocessed data to the function calc, see Figure 16. After making error checks, to make sure it should handle the response, it starts to decode the in data.
Figure 19 - Flowchart for function calc
In this demonstration decoding the in data is the major part of calc. Since only the method COO is used, no calculation other than the database lookup is needed. When the position is obtained the result is stored in the context memory for user to retrieve. 7.3.4 Database In the test environment a Microsoft Access database is used. The database, db, contains two kind of information: MSISDN info and BTS info. MSISDN info In order to verify which numbers the system is allowed to obtain a position of, db contains a list of numbers that either has disabled the service or allowed it. Thus when the user function requests to verify an MSISDN it can get three different states: Not in database, service disabled or service allowed. The second and third states are obvious and should be treated thereafter. The first state, however, could mean the subscriber isnt aware of the service. This case could be treated differently, for example send a question to the subscriber asking if the current positioning request is allowed. In this demonstration the service wont be allowed if the numbers is not in the db. BTS info The BTS info is the most important information in any positioning service. Without the coordinates of the different BTSs it isnt possible to calculate any position. The db contains a simple mapping between the cell IDs and their corresponding coordinates, as provided by the operator for this demonstration. 7.3.5 Message flow During a positioning request a lot of messages goes through the entire system. The main flow of messages is illustrated in Figure 20.
37
At initialisation of the service, user receives a request from a user containing the requested MSISDN. After creation of the WML script (see Figure 17) it is sent to the operator and their WIG server, where the script is pushed out onto the GSM network as an SM. In the subscribers MS the ME is constantly asking the SIM card for any proactive commands to execute, as part of the proactive mechanism. At the arrival of the SM, the ME identifies it as a Data Download message and downloads it onto the SIM card and the WIB for execution. The WIB will then initiate two proactive commands, Provide Local Information (PLI) and finally send the result from previous command as an SM.
Figure 20 The message flow during a positioning request
As defined in the WML script, the result is sent to the function calc in the content provider space, where necessary calculations and database lookups are done. Finally the calculated position is returned to the function user and the result can be displayed to the user.
7.4
Results
The demonstration successfully implements a positioning method based on the SIM card. The accuracy provided is the same as available network based methods today. In this implementation, however, only the position of the BTS can be shown. In order to calculate the radii around the BTSs in which the possible position should be, the transmitted signal strength is needed. But the operator that supplied information for this demonstration did not provide this particular information.
38
During discussions with people responsible for SmartTrusts demo platform, the point was raised that for a demonstration purpose towards potential customers, it might be enough to locate the country and network in which the cell phone is located. That would provide enough information to use when demonstrating the products on the international market. The demonstration is capable of this without connection or cooperation with any operator. As a result to the request a simple map over Liljeholmen, Stockholm is displayed, where the positions of SmartTrusts office and current BTS are marked with symbols, see Figure 21.
Figure 21 - Example of a result map
The demonstration also shows a list with the available network information. And obtainable NMR information can be displayed, even though it cant be part of the positioning method.
39
8. Future work
This demonstration only implemented a part of what theoretically could be done. The TA method and NMR information could be used to enhance the results. To implement the TA a compliant cellular phone must be found, which should be possible in the near future. In order to utilize the NMR information the WIB will need some improvements. The GSM specifications state the option to obtain the so-called BCCH channel list, which is needed as compliment to the NMR information. If this list can be obtained through the WIB then it will be possible to utilize the information in a practical manner. Another possible improvement in the WIB is to allow a SAT mechanism called Profile Download. During the execution of a WML script, any command not supported by the ME will cause the execution to halt, and display an error message in the MEs display. This would be the case, for instance, if the TA method were requested on a cellular phone thats not compliant with that command. The Profile Download mechanism provides the means to question the ME of what commands it supports. If the WIB would provide this command, it could be possible to customize the WML script on which positioning method to use, depending on what the ME supports. If this demonstration were to become part of a commercial product, several improvements would be required. The personal integrity could be improved significantly. Now only a two-state option exists, disabled or allowed. It would be desirable to extend that into more options, for example on a time basis. Other parts, such as security or failure tolerant functions, would desire improvements.
40
9. Conclusions
The objective for this thesis had two parts. The first was to investigate how location-based services can be done, using information available in the cellular telephone. The second part was to implement a demonstration. During the work I have shown it is possible to utilize the SIM card to perform a location-based service. First the GSM system was discussed, and methods was shown how to extract certain information from the cellular phones. By using a SIM card with an installed micro browser it is possible to obtain network information from the handsets, through the use of SIM Application Toolkit (SAT) commands. Then different positioning methods were discussed, of which three was shown to work solely with the information obtainable from the cellular phones; Cell Of Origin (COO), Timing Advance (TA) and Network Measurement Result (NMR). As of today these methods, except for NMR, are the same as in use through the network. Thus location-based services using the SIM card can today provide the same level of accuracy in the calculated position. If a higher degree of accuracy is needed, however, the methods based on the SIM card alone will eventually not be sufficient. In order to further develop these methods in the future, more information must be available from the cellular telephone, which would require changes in the specifications. The proposed network based methods, on the other hand, utilizes existing specifications in new ways. As the networks continue to be upgraded, and the demands for more accurate service grow, then network based method will be more suitable. However, the network based methods lacks a couple of things in comparison with the methods based on the SIM card. One is the possibility to interact with the subscribers. Many of the network based methods doesnt include the phone in their schemes, other than listening to its signals. This will limit the options for the subscribers to personalize the services. Also the possibility to utilize the existing security functions is lost. To retain these qualities its likely that the future solutions will consist of a mixture of network and handset based methods.
41
10.List of references
1. Williamson S. Svensk telemarknad 2000 , Post & Telestyrelsen 2001 2. Press release, Ovum, http://www.ovum.com/press/pressreleases/default.asp?wp=mls.htm Accessed 2001-06-25 3. Enhanced 911, FCC, http://www.fcc.gov/e911/, Accessed 2001-06-10 4. Location Inter-operability Forum, http://www.locationforum.org/ 5. Wireless Location Industry Association, http://www.wliaonline.org/ 6. WAP Forum, http://www.wapforum.com 7. GSM 03.71, Digital cellular telecommunications system (Phase 2+); Location Services (LCS); (Functional description) - Stage 2 , version 8.0.0, ETSI 2000 8. GSM 04.18, Digital cellular telecommunications system (Phase 2+); Mobile radio interface layer 3 specification, Radio Resource Control Protocol, version 8.5.0, ETSI 2000 9. GSM 05.10, Digital cellular telecommunications system (Phase 2+); Radio subsystem synchronization, version 8.4.0, ETSI 2000 10. GSM 11.11, Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface, version 8.3.0, ETSI 2000 11. GSM 11.14, Digital cellular telecommunications system (Phase 2+); Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface, version 8.3.0, ETSI 2000 12. GSM - Association Subscriber Statistics, GSM World http://www.gsmworld.com/membership/ass_sub_stats.html, Accessed 2001-07-30 13. GSM Association Subscriber Forecast, GSM World http://www.gsmworld.com/membership/ass_sub_fore.html, Accessed 2001-07-30 14. GSM SMS Graph, GSM World http://www.gsmworld.com/membership/graph_sms.html, Accessed 2001-08-15 15. Mouly M. and Pautet M.B. The GSM System for Mobile Communications, Telecom Publishing 1992 16. Garmin: What is GPS?, Garmin, http://www.garmin.com/aboutGPS/, Accessed 2001-10-27 17. GSM System Overview, Apis Technical Training 1998
42
18. The Java Tutorial: Servlets, java.sun.com, http://java.sun.com/docs/books/tutorial/servlets, Accessed 2001-09-15 19. Facts and figures, SmartTrust, http://www.smarttrust.com/seczone/facts_figures.html, Accessed 2001-08-17 20. WML Specification Wireless Internet Gateway, Doc. nr. ST1745519 rev. E, SmartTrust 2000 21. Push Request Protocol Specification , Doc. Nr. ST17455122 rev. B, SmartTrust 2001 22. Browser Request Protocol Specification, Doc. Nr. 17455121 rev. C, SmartTrust 2001
43
Appendix A: Abbreviations
AGCH A-GPS AOA BCCH BSIC BSS BTS COO E-OTD ETSI FACCH FCCH FDMA GPS GSM IMEI IMSI LAI LBS LMU ME MS MSC MSISDN NMR PCH PIN PLMN PSTN RACH Access Granted Channel Assisted GPS Angle Of Arrival Broadcast Control Channel Base transceiver Station Identity Code Base Station System Base Transceiver Station Cell Of Origin Enhanced Observed Time Difference European Telecommunications Standards Institute Fast Associated Control Channel Frequency Correction Channel Frequency Division Multiple Access Global Positioning System Global System for Mobile communications International Mobile Equipment Identity International Mobile Subscriber Identity Location Area Identity Location Based Services Location Measurement Unit Mobile Equipment Mobile Station Mobile services Switching Center Mobile Station International ISDN Number Network Measurement Results Paging Channel Personal Identification Number Public Land Mobile Network Public Switched Telephony Network Random Access Channel
44
SACCH SAT SCH SDCCH SIM SM SMS SMSC TA TCH TDMA TDOA TMSI TOA WAP WIB WIG WML
Slow Associated Control Channel SIM Application Toolkit Synchronisation Channel Stand-alone Dedicated Control Channel Subscriber Identity Module Short Message Short Message Service Short Message Service Center Timing Advance Traffic Channel Time Division Multiple Access Time Difference of Arrival Temporary Mobile Subscriber Identity Time Of Arrival Wireless Application Protocol Wireless Internet Browser Wireless Internet Gateway Wireless Markup Language
45
Appendix B: SIM Application Toolkit features

The SAT commands can be divided into different categories: Control of the Man-Machine interface This type of commands allows the SIM to exchange information with the user. Select Item Allows the SIM to build up a sub-menu with a list of items, where the item selected by the user is returned. Display Text Shows a text in the display of the ME. Get Inkey Asks the user to answer with a single character, for example Y or N. Get Input Asks the user to input a string, for example their name. Play Tone Plays and audio tone thats pre-defined in the ME. For example play an error tone if the wrong character is typed.
Communication services Allows the SIM to initiate actions, through the ME, that will be sent to the network. Set Up Call Requests the ME to set up an automatic call to the given number. Send Short Message Instructs the ME to set up and send a short message. Send SS Sends a Supplementary Service Control to the ME in order to request a supplementary service from the network, such as Call Forwarding. Send USSD Sends an Unstructured Supplementary Service Data message. Cell Broadcast Download Used to update data on the SIM card, such as downloading new applications to the SIM. The message is broadcasted to all MS in the region. SMS PP Download Allows data to be downloaded through the SM channel on card-by-card basis (Point-to-Point). Call Control Can be used to control outgoing calls. For example check for unauthorised numbers, or extending abbreviated phone numbers. Positioning of a cellular phone using the SIM
46
Mobile Originated Short Message Control Can be used to force the ME to ask the SIM for permission before sending any SM. Provide Local Information Allows the SIM to question the ME about its current location. Information such as Country code, Location Area and cell ID can be obtained.
Menu management and application control - Set Up Menu Sets up a new menu item list during initialising of the ME, which will include these menu items in its own menu. Menu Selection Mechanism used to transfer the SIM application menu item selected by the user to the SIM. More Time Allows a task more time for processing, if the processing is long enough to affect normal GSM operation. Event Download Command sent from the ME to the SIM to state an event has occurred. Allows the SIM to react to other events than user-driven. Set Up Event List Used by the SIM to tell the ME of which events it wants to be notified about. Timer Management / Timer Expiration Allows the SIM to manage the MEs timer. For example to set up a reminder application.
47

Positioning of A Cellular Phone Using The SIM

Uploaded by

Copyright:

Available Formats

Positioning of A Cellular Phone Using The SIM

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Positioning of A Cellular Phone Using The SIM

Uploaded by

Copyright:

Available Formats

Masters Thesis in Co mputer S cience Royal Institute of Techno logy Kungliga Tekniska Hgskolan

Positioning of a cellular phone using the SIM

Supervisor: Jonas Persson SmartTrust AB

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

Background to the problem

Organization of the thesis

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

3. The GSM System

Figure 1 - World GSM subscriptions. Diagram taken from GSM World.

Figure 2 - GSM system overview

Masters Thesis in Computer Science

Positioning of a cellular phone using the SIM

Figure 3 - Geographical structure

890-915 MHz uplink and 935-960 MHz downlink

Masters Thesis in Computer Science

The frequency reference is a transmitted pure sine wave

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

Positioning of a cellular phone using the SIM

Figure 4 - Authentication and Kc computation

Masters Thesis in Computer Science

Positioning of a cellular phone using the SIM

Now Across Wireless is part of SmartTrust AB

Masters Thesis in Computer Science

Short Message Service

Positioning of a cellular phone using the SIM

Figure 6 - GSM network enabled for SM

Masters Thesis in Computer Science

4. Obtaining the position

Positioning of a cellular phone using the SIM

Cell Of Origin (COO)

Figure 7a - Cell Of Origin

b - Cell Of Origin + Timing Advanced

Timing Advance (TA)

Masters Thesis in Computer Science

Time Of Arrival (TOA)

Figure 8 - Time Of Arrival

Positioning of a cellular phone using the SIM

Figure 9 - Hyberbolic curves

Enhanced Observed Time Difference (E-OTD)

Masters Thesis in Computer Science

Angle Of Arrival (AOA)

Figure 10 - Angle Of Arrival

Positioning of a cellular phone using the SIM

Network Measurement Result (NMR)

Figure 11 COO enhanced with calculated estimation from neighbour cells

Masters Thesis in Computer Science

Global Positioning System (GPS)

Positioning of a cellular phone using the SIM

Masters Thesis in Computer Science

Figure 12 - Assisted GPS. Picture taken from the GSM specifications.

Execution Handset / Network

Disadvantages Low accuracy