positioning of a cellular phone using the sim

Master’s Thesis in Computer Science

Royal Institute of Techno logyKungliga Tekniska Högskolan

Positioning of a cellular phone using the SIM

Oskar MattssonStockholm, 2001

Examiner: Supervisor:

Prof. Mats Brorsson Jonas PerssonDepartment of Microelectronics SmartTrust AB

and Information TechnologyRoyal Institute of Technology

ii Positioning of a cellular phone using the SIM

AbstractAs the market for cellular telephones, and other mobile devices, keeps growing,the demand for new services arises to attract the end users. One topic that isbeing discussed throughout the world today is location-based services. How cana mobile device be located and in which way can a service be constructed toutilize this information?

Work has begun to create a standard of how the position can be derived fromthe system, at the same time different solutions have been presented. Thesesolutions require changes in the existing infrastructure of the GSM system inone way or another, and are based on information residing in the network. Thisforces the operators to invest money to update their system.

Sonera SmartTrust provides products and solutions for the mobile market,enabling the operators to enhance their security and provide services to theircustomers.

This paper presents a solution how the position of a mobile device can bedetermined using the SIM card. A demonstration is implemented usingSmartTrust’s products to perform a location-based service, without any needsfor changes in the GSM infrastructure.

Master’s Thesis in Computer Science iii

Table of Contents

1. Introduction............................................................................................ 1

1.1 Wireless market.................................................................................... 1

1.2 Background to the problem .................................................................. 2

1.3 Organization of the thesis..................................................................... 2

2. Location-based services ......................................................................... 4

2.1 Emergency calls ................................................................................... 4

2.2 Assisting services ................................................................................. 4

2.3 Fleet management ................................................................................ 5

2.4 Personal services ................................................................................. 5

2.5 Personal privacy .................................................................................. 5

3. The GSM System.................................................................................... 6

3.1 Introduction ......................................................................................... 6

3.2 Network architecture............................................................................ 6

3.2.1 Mobile Station (MS)..................................................................... 7

3.2.2 Base Station System (BSS) ........................................................... 73.2.3 Switching System ......................................................................... 7

3.2.4 Geographical areas ....................................................................... 8

3.3 Radio interface..................................................................................... 93.3.1 Physical channels ......................................................................... 9

3.3.2 Logical channels......................................................................... 10

3.3.3 Radio signalling issues ............................................................... 10

3.3.4 Timing Advance ......................................................................... 11

3.4 SIM card ............................................................................................ 12

3.4.1 Security ...................................................................................... 12

3.4.2 SIM Application Toolkit............................................................. 143.4.3 Micro browser ............................................................................ 15

3.5 Short Message Service........................................................................ 16

4. Obtaining the position.......................................................................... 18

4.1 Cell Of Origin (COO)......................................................................... 19

4.2 Timing Advance (TA).......................................................................... 19

4.3 Time Of Arrival (TOA) ....................................................................... 20

4.3.1 Time Difference of Arrival (TDOA)........................................... 21

4.4 Enhanced Observed Time Difference (E-OTD)................................... 21

4.5 Angle Of Arrival (AOA)...................................................................... 22

iv Positioning of a cellular phone using the SIM

4.6 Network Measurement Result (NMR).................................................. 23

4.7 Global Positioning System (GPS) ....................................................... 24

4.7.1 Assisted GPS (A-GPS) ............................................................... 25

4.8 Conclusion ......................................................................................... 26

5. Handset vs. network based positioning ............................................... 28

6. SmartTrust products............................................................................ 30

6.1 System overview ................................................................................. 30

6.2 Wireless Internet Gateway.................................................................. 31

6.3 Wireless Internet Browser .................................................................. 32

7. Implemented demonstration................................................................ 33

7.1 Positioning schemes ........................................................................... 33

7.2 Programming language...................................................................... 33

7.3 System structure ................................................................................. 34

7.3.1 WML script ................................................................................ 35

7.3.2 User interaction function............................................................. 36

7.3.3 Calculation function ................................................................... 37

7.3.4 Database ..................................................................................... 377.3.5 Message flow.............................................................................. 37

7.4 Results................................................................................................ 38

8. Future work.......................................................................................... 40

9. Conclusions........................................................................................... 41

10. List of references .................................................................................. 42

Appendix A: Abbreviations......................................................................... 44

Appendix B: SIM Application Toolkit features.......................................... 46

Master’s Thesis in Computer Science 1

1. Introduction

1.1 Wireless marketIn May 2001 the Swedish Post & Telestyrelsen (the Swedish National Post andTelecom Agency) presented a market survey about the telecom market inSweden [1]. It shows that the number of wireline subscriptions decreased year2000, while the mobile subscriptions continued to increase. Today there aremore mobile subscriptions in Sweden than wireline, and with a total of6.338.000 mobile subscriptions the penetration1 is as high as 71%. This createsa new situation in the society where people have a higher degree of freedom toplace their calls wherever they are, whenever they want. Of course newproblems and demands also arise with the new situation.

With new technologies being developed combined with the increased mobility,new services can be provided. One such group of services that has been gettinga lot of attention lately are location-based services (LBS). More people arecarrying a mobile device, if those devices could be positioned a whole newrange of services would be possible. Not only commercial business wouldbenefit from LBS, also public services as emergency calls will benefit fromknowing where the caller is located, as already in use for wireline emergencycalls. The concepts of such services are discussed more thoroughly below.

The analyst and consultant company Ovum presented in January 2001 a reportwhere they predict the mobile location market to be worth US$20 billion by2006, with m-commerce as the driving force [2]. Operators and vendors thatwant to be part of this market needs to start developing services that attracts theusers to gain maximum revenue. But yet has no single technology beendetermined as the definite solution to use when building LBS.

Many companies, such as CellPoint and Cambridge Positioning Systems, havestarted to create solutions of how location-based services can be done, withdifferent solutions. The various solutions to choose from becomes a problem forthe operators and vendors. Some kind of standard is needed for the operators toeasily implement the services into their products. The EuropeanTelecommunications Standards Institute (ETSI) has issued a TechnicalSpecification (TS) [7] that addresses 4 different methods to be included in afuture standard. In September 2000 Ericsson, Motorola and Nokia founded theLocation Inter-operability Forum (LIF) [4], which strives to help setting thestandards in the area. And in December 2000 the Wireless Location IndustryAssociation (WLIA) [5] was founded to look more on the commercial issues ofLBS.

1 The penetration is measured as the total number of subscriptions as part of the entirepopulation.

2 Positioning of a cellular phone using the SIM

1.2 Background to the problemBesides the lack of standards, as mentioned above, many positioning methodswill require expensive upgrades of the existing GSM infrastructure. Forinstance, the Time Of Arrival method (see section 4.3) requires each basestation to be equipped with a Location Measurement Unit (LMU), and everyLMU equipped with GPS time to be synchronized. If the operator has a largenumber of base stations, the expense to equip each base station with a GPSreceiver will become very high.

The different methods being discussed today are network based, i.e. they areexecuted within the GSM network such as using a LMU. What’s not as muchdiscussed is handset based methods. If the execution could use informationavailable in the handset, the changes in the GSM infrastructure would bepotentially less expensive. It could also become easier for the developer who nolonger would have to rely totally on the operators.

To increase the functionality in the handsets a set of commands has beenspecified, the SIM Application Toolkit (SAT) commands [10]. Thesecommands enable the SIM card to interact with and operate the cellular phone.Normally for a developer to use the SAT commands, the user’s SIM card has tobe changed into one that has the developed application stored in its memory. Byequipping the SIM cards with a so-called micro browser, similar to the WAPbrowser in a WAP enabled handset, SAT commands can more easily be used.

One such browser that normal GSM phones can use is the Wireless InternetBrowser (WIB), which today is an open de facto standard in the process ofbeing standardized. Among its features are the possibilities to browse WMLpages, execute SAT commands and store new applications on the SIM card.

An interesting feature of the SAT commands is the possibility to question thehandset about its stored location information. This information consists ofparameters such as the serving cell and signal strength, and is normally used bythe cellular phone to make decisions about the network. This information couldbe used when determining the position of the handset.

Throughout this paper I will show how these techniques, the SAT commandsand the micro browser, can be used when calculating a position. Differentmethods on how to obtain the position will be discussed, to find a suitablemethod that can be based on information available in the phone.

1.3 Organization of the thesisThis master’s thesis aims at two goals. The first goal is to investigate howlocation-based services can be conducted by utilizing the micro browser on theSIM card. The second is to implement a demonstration, using productsavailable from SmartTrust.


In section 2 the concept of location-based services is discussed, what can bedone and which impacts will it have on our community. Section 3 will discussthe GSM network, giving an overview. Then section 4 goes through differentmethods to obtain and calculate the position of mobile devices, such as theTime Of Arrival method mentioned earlier. Section 5 makes a comparisonbetween positioning based on the information in the network and the phone.

In sections 6 and 7 I describe the implemented demonstration. In section 6products related to SmartTrust are described that are used in the demonstration,and how they integrate into the GSM system. Then in section 7 the actualsolution and implemented demonstration is described. Finally in sections 8 and9 I have drawn conclusions about the thesis and future work.


2. Location-based services

2.1 Emergency callsOne very important service in our society is the emergency call centres. Bydialling a simple number on the telephone, 112 in Europe and 911 in the U.S.,help can quickly be obtained in case of an emergency. But for this service towork properly the location of the caller is needed. First the call must be re-routed to the correct call centre, since every centre only covers a limited area.Then by knowing the location of the caller, the emergency operator can get aidfrom computers in form of maps and local information, and quickly dispatchthe assignment to the closest available unit.

A couple of years ago it was a rather safe assumption to say that a received callwas made from a fixed location. That was a fact that the emergency callservices used. When the call was made the system would know where the callwas made from, based on the registered address of the number’s owner. Todayin the U.S. 20% of the emergency calls are made from mobile phones, and thenumber is expected to grow to 60% by 2002. These are calls that the emergencyoperator can’t get location information about. And in many cases a caller from amobile phone doesn’t know his exact location. This has become such bigproblem that the U.S. Federal Communications Commission has issued amandate, E911, requiring the service operators to be able to identify thelocation of the caller within 125 m, 67 percent of the time, by October 2001 [3].

2.2 Assisting servicesThere are a few different examples of assisting services that could make use ofpositioning information. One is roadside assistance. When driving on a highwayit can be hard to know where on the road you are. If the car breaks downsomewhere in the middle of nowhere it might take a long time for the assistanceto arrive if the location is not known. By determine your location the assistancecan arrive much quicker. This kind of service doesn’t need a very accurateposition. Often it is enough to know within which area the location is, since theroad is already known and the assistance only needs the correct direction todrive.

Another service is getting driving directions. While travelling to an unknownlocation, an aid that gives you directions where to drive can be a useful service.Such service would need a somewhat accurate position, especially in urbanareas, to be able to determine the exact road. In a rural area where the numberor roads are fewer, the position can be allowed to be less accurate.

Also services as broadcasting out warnings about traffic jams can be useful.Especially if the message will include how far ahead from you it is, andprovides you with an alternative route.


2.3 Fleet managementA very sought for service by companies is fleet management. Taxi companieswould be able to keep track of where their cars are located, to assign new ordersto the closest available car. Truck companies would be able to see when ashipment is about to arrive at the destination, and can alert the receiver to standby if needed. Sales companies can see where their salesmen are. The list can bemade long.

2.4 Personal servicesWhen being in a new town it’s not always easy to find the facilities and servicesone needs. Be it a restaurant or a post office, receiving directions to the closestone would prove very helpful. By letting the user request for the service, theoperator can find his location and match it against their database to find theclosest place.

A common use for mobile phones today is to try and find where friends are inorder to meet them. This requires a lot of phone calls or, especially amongyoung people, a lot of text messages sent back and forth. Instead the user couldenter the phone number of the person he wants to find, and as result gets anaddress or an answer similar to Person is located 100 m east of you.

2.5 Personal privacyAn important issue to consider when dealing with positioning services is thepersonal privacy. By enabling the mobile devices to be located, does that meanthey are turned into homing beacons which will allow Big Brother to keep aneye on you wherever you go? How far can we go before breaking the personalintegrity?

It must be up to the users when and where their devices can be positioned. Theusers should be able to set up rules, perhaps even on a personal basis. Maybe Idon’t want my mother to see where I am late a Friday night, but my friend whoI am meeting should be able to locate me.

Another issue is the law enforcement. Being able to locate a suspect would givegreat aid to the police. But people would argue that locating someone’s mobiledevice could be compared with tapping a phone line, and therefore a warrantshould be needed before performing the positioning.

Two different scenarios of being located can be seen; either the user requests tobe located or it’s the system trying to locate the user. If these two scenarios aretreated differently perhaps the users will turn off the functionality to be locatedby the system. That would restrict the commercial values of the systems, sincefunctions such as targeted ads will no longer work properly. Neither wouldrequests from the law enforcement do. But if they are not treated differently, theusers will loose some possibilities to set their personal preferences.

Between all these issues a compromise must be found. If the users trust theoperator, then the operator could set up general rules. For example allowing theemergency call centres to locate a person even if that person has blocked allnormal requests.


3. The GSM System

3.1 IntroductionThe first mobile systems hit the market in the early 80’s. NMT-450 (NordicMobile Telephony) was the first out, followed by AMPS (American MobilePhone System), both analogue systems. Soon it became clear that the analoguesystems weren’t expandable enough to hold future growth, and in the mid 80’swork began to develop a second, digital, generation mobile system that laterwould be known as the Global System for Mobile communications (GSM).

When the GSM system officially launched in 1992 in a few different Europeancountries it immediately became a success, by the end of 1993 there were morethan one million subscribers. And it keeps growing. By 1995 there were 12million users in 86 different countries. In June 2001 there were more than 550million subscribers in 151 countries, with a forecast of over 1400 millionsubscribers by the end of 2005 [12,13].

Figure 1 - World GSM subscriptions. Diagram taken from GSM World.

The development of the GSM system is today driven by ETSI, the EuropeanTelecommunications Standards Institute. The specifications define the differentunits in the network by defining their functions and interfaces, ranging from theradio interface between the senders and receivers to how a text message shouldbe constructed.

Today work is underway on a third generation of mobile systems, developingalong with modifications of the second generation. These modifications arecalled generation 2.5, and an example is the GPRS (General Packet RadioService).

3.2 Network architectureThe GSM architecture consists of several different units, and can be dividedinto 3 main parts:

- The Mobile Station (MS)

- The Base Station System (BSS)

- The Switching System


Figure 2 - GSM system overview

3.2.1 Mobile Station (MS)

The Mobile Station is the only part of the GSM system that the users usuallyever see, it’s the phone carried by the user to place and receive calls. The MSconsists of two different entities: the mobile equipment (ME) and theSubscriber Identity Module (SIM) card. The ME is the hardware enabling radiocommunication with the network. It is identified by its International MobileEquipment Identity (IMEI), but is anonymous in the sense that it is not tied toany particular subscriber. It is the SIM card that identifies the subscriber in thenetwork and keeps information necessary for the ME to use the network.

3.2.2 Base Station System (BSS)

The Base Station System connects the MS to the network, and is in charge ofthe transmission and reception. The BSS can be divided into the BaseTransceiver Station (BTS) and the Base Station Controller (BSC).

It’s the BTS that handles the communication between the MS and the network,and consists of radio equipment and antennas to serve a small area, a so-calledcell (see below).

The BSC controls and supervises a group of underlying BTSs. While the BTShandles the actual radio communication, the BSC controls all taken actions suchas transmitting power, when and what to transmit etc.

3.2.3 Switching System

The switching system has as the main role to manage the communicationsbetween the mobile users and other users, such as mobile users or fixedtelephony users on the Public Switched Telephony Network (PSTN). Theswitching system also includes the databases needed for subscriber data andmobility management. These units are described below.

Mobile services Switching Centre (MSC)

The MSC performs the switching functions within the network, and sets up,supervises and releases calls. It can connect calls in the GSM network, orbetween the GSM network and another networks when necessary.


Gateway Mobile services Switching Centre (GMSC)

The GMSC connects and acts as a gateway between the GSM network and thePSTN. The GMSC is responsible for finding in which part of the network theMS is located at by questioning HLR, and also for routing the call there.

Home Location Registry (HLR)

Operators have a global register containing information about all theirsubscribers to the network, HLR. The HLR also includes information about thesubscriber’s current location and which MSC that serves the user at themoment.

Visitor Location Registry (VLR)

The VLR is a regional database, compared with HLR that is global, which isfound together with every MSC. This register stores information about allsubscribers that are registered in that MSC-area at the moment. When the HLRhas provided GMSC with which MSC service area the subscriber is registeredin, a more detailed description of which Location Area (LA) the MS will befound in can be obtained from the VLR.

Authentication Centre (AUC)

The AUC is used for security purposes. It manages data for the authenticationof subscribers and encryption. All MSs can be asked to go through anauthentication process before allowed access to the network.

Equipment Identity Register (EIR)

The EIR is also used for security purposes but for hardware issues instead ofsubscribers. By storing information about valid ME, the IMEI, it can verify thatthe equipment is approved, not stolen, etc.

3.2.4 Geographical areas

Every telephone network needs a structure in order to route the calls to the rightentities. This is even more essential in a GSM network where the subscribersare mobile and move around the entire time. This structure is obtained bydividing the network into different levels of geographical areas. See Figure 3.

The cells are the smallest geographical entities, each cell covered by one BTS.A cell can be of different sizes, from a radius of tens of kilometres in rural areasdown to a radius to tens or hundreds of meters in an urban area. The maximumcell radius is defined to 35km, due to signalling issues.


Figure 3 - Geographical structure

A number of cells are grouped into a Location Area (LA), and a group of LAsdefines the MSC/VLR service area (Mobile services Switching Centre/VisitorLocation Register). Note that the divisions into LAs have nothing to do withwhich BSC the cells belong to.

The top-level area is the Public Land Mobile Network (PLMN), which is acomplete GSM network belonging to one network operator, and can containone or several MSCs. Each country can have one or several PLMNs.

3.3 Radio interfaceThe theories of the radio and air interfaces are too vast to go into details in thisreport. A more detailed description can be found in [15] and [17] and thespecifications.

3.3.1 Physical channels

The GSM system is specified to use a limited frequency spectrum. With anavailable frequency band of 25 MHz2 it’s important to utilize the space as muchas possible. To allow maximum usage of the system, a mixture of FDMA(Frequency Division Multiple Access) and TDMA (Time Division MultipleAccess) techniques is used.

Each frequency band is divided into 124 carrier frequencies, separated by a 200kHz spacing, using FDMA. Each of these carriers is subdivided into 8timeslots, using TDMA.

A physical channel is defined as one time slot on one carrier, and can carry oneburst of information. A burst is a formatted sequence of bits that lasts 0.577ms.

2 890-915 MHz uplink and 935-960 MHz downlink


3.3.2 Logical channels

When communicating, the BTS and MS share many different types ofinformation. Each different type of information is structured into logicalchannels, where a logical channel is a specific type of information carried by aphysical channel.

- Traffic CHannel (TCH). The TCHs is used to carry speech or data traffic.

- Broadcast Control CHannel (BCCH). Gives the MS necessary parametersneeded to identify and access the network. The information supplied couldbe the frequencies of neighbour cells for the MS to monitor, Location AreaIdentity (LAI), etc.

- Synchronization CHannel (SCH). Gives the training sequence needed inorder for the MS to demodulate the information transmitted by the BTS.SCH also contains the Base Station Identity Code (BSIC), which allowsthe MS to identify it’s listening to the correct frequency and PLMN.

- Frequency Correction CHannel (FCCH). Supplies the MS with thefrequency reference3 of the system, in order for the MS to synchronizewith the network.

- Paging CHannel (PCH). Used to alert the MS of an incoming call or ShortMessage (SM).

- Random Access CHannel (RACH). Used by the MS to request access to thenetwork

- Access Grant CHannel (AGCH). Used by the BTS to acknowledge aRACH. The MS will also be assigned a signalling channel (SDCCH) to usefor its reason for the access.

- Standalone Dedicated Control CHannel (SDCCH). The channel on whichthe actual signalling takes place.

- Slow Associated Control CHannel (SACCH). Used for channelmaintenance and channel control.

- Fast Associated Control CHannel (FACCH). Used when urgent signallinginformation must be transmitted.

3.3.3 Radio signalling issues

Since the GSM system uses a radio interface to communicate between the BTSsand MSs, there will be different problems that might lower the quality of thesignals. These problems might also affect different location schemes. Some ofthe methods use time measurements to calculate the position, if it’s anerroneous signal the calculations might go wrong. The following issues areamong the most common.

3 The frequency reference is a transmitted pure sine wave


Path loss

Signal attenuation, or path loss, will cause the radio signal to become weakerthe further distance it has traversed. This can be a problem, making it difficultto obtain strong enough signal strength. But it’s also the principle on which thecellular technology is built. Since the signal eventually will be too weak toreceive, the frequency can be re-used if the distance between the BTSs is longenough.

Shadowing and multi-path fading

In many cases it’s not possible to have a line of sight between the MS and BTS,such as in an urban area with a lot of tall buildings. The obstacles will thencause shadowing, which results in variations in signal strength as the MS movesaround.

When no line of sight is possible, reflected signals will be used instead.Normally the MS will not receive one but several reflected signals, and theresulting signal might be stronger or weaker than the individual signals. Sincethe reflected signals will have different traversing times they will be slightly outof phase. If there is no, or almost no phase difference, the resulting signal mayhave better signal strength. But if the phase difference is close to 180 degreesthe signals might cancel each other out. This phenomenon is called multi-path,or Rayleigh, fading.

Time dispersion

When moving in an open area with very large reflecting objects, such asmountains, time dispersion might be present. If the radio signals are reflectedthe MS might not only receive the signals directly from the BTS, but also afairly strong reflection from the reflector. This will cause an interference of thesignals. The bit stream from the direct signal may arrive several bit-times earlierthan the reflected bits. This effect, caused by the time dispersion, is called InterSymbol Interference. This is mainly a concern in rural areas.

Static noise

All radio communications are affected by noise in the transmissions, the staticnoise. It can be general background noise, atmospheric disturbances such aslightning or man-made causes like engine ignition.

3.3.4 Timing Advance

In the TDMA scheme it’s important that the information is sent and received inthe designated timeslots. If the sender is far away from the receiver the signalwill be delayed as it traverses through the air. With a too large time differencebetween the intended arrival time and the actual arrival time, the signal will beout of synchronisation and the receiver not able to decode the signal.


To deal with this, a concept called Timing Advance is used. In all frames theMS transmits, there is a sequence called training sequence. Using this trainingsequence the BTS can measure the degree of synchronisation between the MSand BTS, and send the calculated Timing Advance value back to the MS tellinghow much delay the MS should use when transmitting new signals.

GSM 05.10 [9] defines the Timing Advance value to be coded between 0 and63, and corresponding time values between 0 and 233 µs. With a maximum cellradius of 35km, each increment of the value corresponds to a distance ofapproximately 550m.

3.4 SIM cardAs described above the MS consists of two entities: The ME and the SIM card.Whereas the ME handles the radio communication, it’s the SIM card thatprovides all user subscription information and personalisation. Without the SIMcard the ME can’t log onto the system, and simply put the ME is just a non-operational mechanical device.4 Since the SIM card holds all user information,it’s not tied to a specific ME but can be used in any ME and the owner of theSIM will be charged for the calls, not the owner of the ME.

The SIM cards contain three different types of information that’s related to theuser. The first type is information that is stored by the operator and can’t bechanged, such as the International Mobile Subscriber Identity (IMSI) and theauthentication key Ki. The IMSI identifies the subscriber within the GSMnetwork, and the Ki is used for security purposes.

The second type of information is temporary stored information, such asnetwork information that changes over time. Examples of this are theTemporary Mobile Subscriber Identity (TMSI) or Location Area Identity (LAI).The TMSI is sometimes used instead of the IMSI to identify the user in thenetwork, to increase security against actions such as monitoring of certainIMSI. The LAI identifies which LA the subscriber currently is registered in.

The last type of information is service-related and can be language preferences,phonebook, short messages, call log and so on.

To enhance the functionality of the SIM card it can be programmed with SIMApplication Toolkit commands, which enables the card to interact with the ME.

3.4.1 Security

Another important role that the SIM card holds, besides the user information, isthe security function. The SIM card contains two different kinds of securitytypes. The first kind is to protect the card for unauthorized use. The subscriberhas a Personal Identification Number (PIN) code to be authenticated as thecorrect user.

4 One exception exists where the ME can place calls without a SIM card; emergency calls.


The second type is used for security over the radio path. To prevent the radiotraffic from being intercepted by a third party, the traffic needs to be encrypted.For this reason the SIM card holds a secret parameter called Ki (also stored inthe AUC), which is the subscriber authentication key. The secrecy of Ki is thecornerstone of the security mechanism. The key is stored on the SIM in suchmanner that it can’t be written to, and only read during the securityauthentication process.

Since the secrecy of Ki is important it’s never actually used on the network.Instead Ki is used to calculate a temporary cipher key, Kc, which is used toencrypt and decrypt the signals, see Figure 4.

Figure 4 - Authentication and Kc computation

Authentication

When the MS tries to connect to the GSM network, the AUC starts amechanism to challenge the MS to see if it’s authorized to access the network.

The AUC creates a random number, RAND, and sends it to the MS. The MSuses the RAND in combination with its secret Ki to compute a response, SRES,and sends it back to the AUC. The AUC in its turn makes the samecomputation, since it too has access to the Ki. The two SRESs are compared,and if they are equal the MS is authenticated to use the network.

The RAND is also used to compute the temporary cipher key Kc, but withdifferent algorithms than for the SRES computation.


3.4.2 SIM Application Toolkit

To provide value-added services to the GSM phone, ETSI has specified theSIM Application Toolkit (SAT) commands [10, 11]. SAT provides mechanismsfor the SIM card to issue commands to the ME, and can be triggered bydifferent events such as incoming Short Messages (SM) or user initiatedselections.

By default the SIM card can’t perform anything more than provide informationto the ME when requested. But the SAT commands give the SIM card ability tointeract and control the ME. It can change the menu system, interact with theuser, set up calls or messages, update services, and so on. This provides a verypowerful base on which applications may be built and stored on the SIM card.

The SAT commands can also utilize the security functions in the SIM. Byasking the user for the PIN code and then encrypt the data being sent, advancedsecure application can be created which is a requirement when developingservices like banking-services.

The specification has defined a number of different mechanisms, of which DataDownload to SIM and Proactive SIM are most important for this work.

Data Download to SIM

The Data Download mechanism allows data, or SAT commands, to be sent tothe ME and downloaded onto the SIM card. As transportation of the data anormal SM can be used, without notification to the subscriber.

This gives the operators the possibility to modify information on the SIM cardif needed, such as subscription information. It also gives the possibility todownload and store an application on the SIM card, or send SAT commands forexecution.

Proactive SIM

This mechanism gives the SIM card ability to initiate actions to be taken by theME. These commands include most part of what the users will notice of theSAT, such as display text, and are called proactive commands.

The communication between the ME and the SIM card is defined in GSM 11.11[10], where the ME always acts as “server” and initiates commands to the SIMcard. Therefore there are no mechanisms for the SIM card to initiatecommunication with the ME. With the proactive mechanism, the ME asks theSIM card if there are any commands it should execute, and after executing anycommand the result is returned back to the SIM card.

The direction of the communication, ME to SIM, has an important impact: it isthe ME that decides which SAT commands can be used. For example, an oldME have no way of knowing about a newly developed SAT command andhence can’t use it even if the SIM card can. Today the manufacturers work tomake their products more and more compliant with the specifications, but manyolder products, and even new products, don’t support all commands defined inthe specifications.


An important proactive command for this work is the command Provide LocalInformation. This command allows the SIM card to question the ME for itsnetwork parameters. The information includes:

- Location information; Mobile Country Code (MCC), Mobile NetworkCode (MNC), LAI and cell ID of the serving cell.

- The International Mobile Equipment Identity (IMEI) of the ME

- Network Measurement Result (NMR) and BCCH channel list

- Current time, date and time zone

- Current language setting in the ME

- The Timing Advance (TA)

A short description of more proactive commands can be found in Appendix B,and a more comprehensive description in GSM 11.14 [11].

3.4.3 Micro browser

Another way to use SAT commands is to use a micro browser. The microbrowser is a SAT application stored on the SIM card. Depending on thedeveloper of the browser it will have different features, but basically it can becompared with a normal Internet browser such as Microsoft Internet Explorer.The browser builds up a menu structure where the different menu items can beseen as “bookmarks”, as used in normal Internet browsers, and typically pointsto an instruction stored on the SIM card. After selecting the wanted instruction,the browser converts the instruction into a SAT command and executes it.Depending on the application and command, the result could be hidden,displayed or used for further processing.

In order for the ME to use the browser the ME needs to be SAT class 2compliant. As stated above not all products can utilize all SAT commands, butall new handsets are today compliant enough to use a micro browser, and thenumber of micro browser enabled handsets is expected grow rapidly, see Figure5 [19].

Wireless Internet Browser (WIB) is a micro browser originally developed byAcross Wireless5, but is now an open standard for any SIM card manufacturerto use. The WIB has today grown into becoming the de facto standard for microbrowsers, and due to the open standard many SIM card manufacturersimplement the WIB on their cards. The WIB will be discussed more in detail insection 6.1.

5 Now Across Wireless is part of SmartTrust AB


Figure 5 - Global cellular subscribers and installed base of micro browser enabled handsets.Diagram taken from SmartTrust.

3.5 Short Message ServiceThe GSM specifications include definitions of sending alphanumeric messagesthrough the network, both to and from the ME. The Short Messages (SM)6 cancarry up to 140 bytes of information, which makes it possible to send up to 160characters with the Latin alphabet and 70 when a Unicode alphabet is used,such as Arabic or Chinese.

From the beginning the operators saw SMS as nothing more than an extrafeature in their network. But as the development continued the SMS turned intoone of the features generating most revenue for the operators. In May 2001almost 19 billion SM were sent world wide [14], and the number increases eachmonth as new services are introduced.

In order for the system to be able to handle SM, a few entities in the GSMnetwork have to be modified. Besides modifications in the GMSC, MSC andMS to make them handle SM, a Short Message Service Center (SMSC) has tobe added in the switching system, see Figure 6.

6 In daily talk SM is often referred to as SMS, which shouldn’t be confused with the servicesupplied by the operator.


Figure 6 - GSM network enabled for SM

The SMSC receives and relays messages to and from the MSs, and sends areport of the result to the originator of the SM. The system is designed to bereliable and the SMSC can store the SM in case of a failure, and reattempt thedelivery at a later point.

An important feature of the SMS is its ability to use the 140 bytes as carrier fordata instead of text. This is utilized by the data download mechanism of SAT,as mentioned above.


4. Obtaining the position

The operators face a range of different methods to use when implementingpositioning services. These methods include Cell Of Origin (COO), whichtoday is the only working method with existing network and handsets, TimingAdvance (TA), Enhanced Observed Time Difference (E-OTD), Time of Arrival(TOA), Angle of Arrival (AOA) and Global Positioning System (GPS).

The European Telecommunications Standards Institute (ETSI) has issued aTechnical Specification where they handle four different methods to use inaddition to COO: TA, TOA, E-OTD and GPS [7].

The different methods to obtain a position, described below, can be divided intofour categories, depending on where the information is gathered and calculated.

- Network based

- Network based, MS assisted

- Network assisted, MS based

- MS based

The first category relies solely on the network. It can derive the neededinformation without involving the handsets. COO and TA are in this category.

Network based, MS assisted methods are the most common. The importantcalculations are done within the network but some information is needed fromthe MS, such as receiving the signal from the MS to measure a time value.

The network assisted, MS based methods are actually network based in spite ofthe label. They are mostly executed in the network, but the final calculationsmay be made in the MS. The difference between this and the network based,MS assisted methods could be where the method was initialised. E-OTD, forexample, can be of both types. If it’s the subscriber himself who wants theresult of the position, then the calculation can be done in the MS and presentedon the display. But if it’s the system that tries to fix the position of a subscriber,then the calculation could be done within the network once needed informationis obtained from the MS.

MS based methods are what’s interesting for this thesis, and needs noinformation from the network other than what exists in the MS. As well as withnetwork based methods, COO and TA are of this type, along with the NetworkMeasurement Result (NMR). GPS also belongs to this category, however notinteresting for this thesis but is included for comparison.


4.1 Cell Of Origin (COO)COO is the simplest and cheapest method to use since it requires no changes inhandsets or network, and is already being used by the operators. The methoduses the cell area in which the mobile station is registered. By identifying thecell-ID of serving cell, the corresponding Base Transceiver Station (BTS) canbe found. The BTS has a fix position and known properties, such as signalstrength, and an area around the BTS can be calculated in which the handsetshould be located to receive signals in this cell.

This method is fairly inaccurate. The area calculated around the BTS is basedon transmitted signal strength and known signal attenuation, which would givea radius around the BTS. Thus this method depends upon the network cell size,which can vary from 150m in an urban area up to 30,000m in a rural area. Sofor some services this method might be accurate enough in an urban area, suchas getting the address to a postal office in the vicinity, but far from acceptablein a rural area.

As mentioned above, COO is of both the types network based and MS based.The cell-ID is stored both in the network and the MS, and the method is alreadyin use through the network. With help of the SAT command Provide LocalInformation the SIM card can obtain the cell-ID from the ME. This makes itpossible to execute this method solely on information accessible from the MS.

It should also be noted that due to signalling issues, such as multi-path effects,the strongest signal doesn’t have to come from the closest BTS.

Figure 7a - Cell Of Origin b - Cell Of Origin + Timing Advanced

4.2 Timing Advance (TA)A way to improve COO is to enhance the method using the Timing Advancevalue, (TA). As described in section 3.3.4, TA is used to synchronize thesignals between the MS and the BTS.

The TA is 6-bit information, defined in GSM 05.10 [9] to be 0 when no TA isavailable and 63 to be the maximum. With a maximum radius of 35km, eachincrement of the TA value corresponds to a distance of about 550m. I.e. a TAvalue of 0 means the MS is between 0 and 550m away from the BTS, a value of5 means between 2750 and 3300m away.


By using the TA value, in addition to the COO, the circle around the BTS willbe narrowed down to an approximate 550m wide arc. In a rural area where thecell size can be up to 35km in radius this will show an improvement over plainCOO. But in urban area it might not provide much improvement, since manycells have a size smaller than 550m. In such cells the TA would never beassigned a value higher than zero, since it would define a distance longer thanthe cell size.

As with COO, the TA value is stored in both the network and the MS, and canbe retrieved at both positions. Thus this method can be executed both throughnetwork and from an application stored on the SIM card.

However, whereas most handsets support the command to fetch the cell-ID, notall support the request for the TA value. All though the command is defined inthe GSM specifications, it’s classed as not mandatory and some manufacturersdo not implement it yet.

4.3 Time Of Arrival (TOA)TOA works by measuring signals sent from the MS to three or more BTSs. Bysending a known signal the BTS can receive the signal and hand it over to aLocation Measurement Unit (LMU). The LMU measures the time it took forthe signal to travel between the MS and the BTS, the TOA value. These valuescan be used to calculate a circle around the BTS, since the propagation time ofthe radio wave is directly proportional to its traversed distance. Calculatingwhere the circles from three different BTSs intersect will give the proximatelocation of the MS.

Figure 8 - Time Of Arrival

The precision of the clocks in the LMUs is important for this method; onemicrosecond timing error would result in a 300m error of the position. Tosynchronize the clocks, the LMUs are equipped with GPS time.

This method needs extensive changes in the network before it can be used. EachBTS needs to be equipped with, or connected to a LMU in order to measure thetime.

Since this method builds on signals sent from the MS out to the network, it canonly be executed in the network and belongs to the category network based, MSassisted. Due to the changes needed it’s not possible to implement as of today.


4.3.1 Time Difference of Arrival (TDOA)

TDOA is a variation of the TOA, and can be used if the time the signal was sentisn’t known or not accurate. Instead of using absolute time measurements, asTOA, this method rather uses difference measurements. The LMU at the BTSmarks the time when the signal arrived from the MS, d1, see Figure 9. Thisvalue is compared against when the signal arrived to another BTS, d2. Thedifference between the two arrival times, d1-d2, is called the TDOA value. Acurve is calculated along the line where the TDOA value is constant, ahyperbola. By using two pairs of BTSs, at least three BTSs, two hyperbolas canbe calculated and an intersection found where the MS is located.

As with TOA, this method can only be executed in the network and not possibleto implement today.

Figure 9 - Hyberbolic curves

4.4 Enhanced Observed Time Difference (E-OTD)This method works in a similar way to the TDOA described above, but in theother direction. Instead of the network measuring signals from the MS, in E-OTD it’s the MS measuring signals from the network. By observing when asignal arrives from a BTS the MS can calculate the difference between thearrival times from two different BTSs, the observed time difference (OTD). Asin TDOA the OTD is used to calculate a hyperbola where the OTD is constantto the two BTSs. At least two distinct pairs of BTSs are needed to calculate anintersection, thus minimum of three BTSs.

Since the time measurements are done in the MS, just the OTD is not enough toget an accurate value. The real time difference (RTD), the difference betweenwhen the two signals were sent, is needed as well. To calculate the hyperbolasthe geometric time difference (GTD) is used, where GTD is defines as:GTD = OTD – RTD.

To measure the RTDs, the signal bursts has to be received not only by the MSbut also by a LMU. The LMU has a known position, and therefore have aknown distance to all BTSs. When the LMU receives the signal bursts it cancalculate the RTD with help of the known distances.


Compared with TOA, where a LMU is needed at every BTS, this method isexpected to require a LMU at every third to fifth BTS [7]. This would make E-OTD less expensive to implement.

Two different versions of this method can be seen. The first is a network based,MS-assisted version of E-OTD. When the MS has measured the signals, itsends them out onto the network again for the calculations. The second is anetwork assisted. MS based version, where more information is sent to the MSso it can perform the calculations.

In both cases changes are needed on what exists today. Besides the LMUs,changes in the handsets may be needed so they can recognize the signals andmeasure them.

An interesting note about the E-OTD method is if the GSM network would besynchronized, i.e. all BTSs transmit their bursts at the exact same time. Thismeans the RTD would be zero, hence no need to measure the time differencesin the network. If the network could provide the MS with all necessaryinformation along with the bursts, the actually calculations could be done solelyin the handset. To synchronize the network, however, the BTSs would need tobe equipped with very precise clocks.

4.5 Angle Of Arrival (AOA)If the angle in which the signal from the MS arrives to the BTS can bemeasured, a line can be drawn from the BTS using this angle. By measuring theangle at two or more different BTSs an intersection of the lines can becalculated where the MS would be located.

Figure 10 - Angle Of Arrival

An advantage of this method is that only two BTSs are required to find anintersection, which can be useful in remote and rural areas. The maindisadvantage is the need of complex antennas to measure the angle. Each BTShas to be equipped with an array of antennas, usually between four and 12, witha spacing of less than one wavelength. Or equipped with smart directionalantennas. Both types are expensive and not commonly used on the market.

This method is executed in the network, and the expensive changes neededmake it unlikely to be widely implemented in a near future.


4.6 Network Measurement Result (NMR)A method normally not discussed is to use a piece of information called theNetwork Measurement Result (NMR) information, which is available only inthe MS.

When a user moves around in the GSM network, it’s unavoidable to changebetween different geographical areas. To know which cell the MS shouldcommunicate with, the ME constantly listens to the signals sent out from thedifferent BTSs. The signals are measured and at certain threshold values of thesignal strengths the ME will decide it needs to change its serving cell, andinitiate a so-called handover procedure.

To measure the different signals, the ME stores information about the currentlyserving cell, as well as up to six other cells of which it has received thestrongest signals, called neighbour cells. This information is the NetworkMeasurement Result (NMR). The NMR contains three different types ofinformation that’s interesting for this report about the neighbour cells: the Basetransceiver Station Identity Code (BSIC), BCCH frequency and received signalstrength. More details about the NMR can be read in GSM 04.18 [8].

The information about these neighbour cells can be used during a positioningmethod. If the received signal strength could be relied on, the values could beused to calculate a circle around the neighbour cell on which the phone shouldbe located. But due to too many issues, like signal shadowing or dispersion, thevalues can’t be trusted. Instead the values can be used to make a calculatedguess about the distance to the neighbour cell. With enough calculated guesses,an estimation of where the cell could be located in relation to the serving cellcan be made. This wouldn’t give an exact location of the phone, but would limitthe area in which it might be located.

Figure 11 – COO enhanced with calculated estimation from neighbour cells

Figure 11 exemplifies the difference between with and without using the NMR.The left example uses only COO, and gets a circle as result with a radiusdepending on the BTS’ transmitted signal strength. In the right example, theNMR is used to find 4 neighbour cells and a couple of guesses can be made.


- There are no neighbour cells located west of the serving cell. Hence it’ssound to make the assumption that there is a possibility the phone islocated east of the serving cell.

- The example also assumes that the received signal strength from the twonorthern neighbour cells are stronger than from the southern. Hence apossibility the phone is located north of the serving cell.

The result would be an estimation that the phone could be located northeast ofthe serving cell, and the original full circle can be narrowed down in size.

I emphasize that it is only guesses, since a risk exists the signal values doesn’treflect the truth. For example, the phone in the example may actually be locatedmuch closer to the southern neighbour cells, but a very tall structure betweenthe cells and the phone weakens the signals considerable.

The NMR information exists only in the MS and hence can only be executedthrough an MS based method. Means to obtain the NMR are declared in theGSM specifications, however not all handsets support the needed commands.Due to the nature of radio signals a positioning scheme can’t rely solely on theNMR, but should be used in conjunction with another method.

4.7 Global Positioning System (GPS)GPS is the most widely used system for positioning. It’s also the most accurate,with accuracy down to about 10m in best cases [16]. The system relies on anetwork of 24 satellites circling the Earth, NAVigation Satellites with TimeAnd Ranging (NAVSTAR), established by the U.S Department of Defence inthe late 70’s. Today the U.S. military operates the system, but anyone with aGPS receiver can decode the satellite signals and use the system. The satellitesorbit the earth twice each day in such manner that between five and eightsatellites are visible from any point on earth at all times.

To calculate the position, the receiver needs two kinds of values: the position ofthree satellites (four satellites are needed when positioning in four dimensions –X, Y, Z, and Time) and the distance between the GPS receiver and respectivesatellite.

In order to know where the satellites are located the GPS receiver picks up twotypes of information from the satellites. The first type is called “almanac”which contains information about the satellite’s orbit and tells the approximatelocation of the satellite. This information is updated periodically in the satelliteas it moves around. The satellite continuously sends out the almanac, and theGPS receiver stores this information in the memory to know the orbits of thesatellites and keep track where they are located.

The second type of information is called “ephemeris”. Any satellite can travelslightly out of its planned orbit. To compensate for this, ground monitors keeptrack of the satellites’ orbit, altitude, location and speed, and send the correcteddata to the satellites. This data, the ephemeris data, is valid four to six hours andin combination with the almanac will allow the GPS receiver to know the exactposition of the satellite.


To obtain the distance to the satellites, the GPS method uses an approach basedon the TOA principle. The signal from the satellites contains information aboutwhen it was sent, which allow the GPS receiver to measure the time it took forthe signal to travel between the satellite and the receiver. This value ismultiplied with the speed of light to calculate the distance to the satellite, by theformula Velocity * Travel Time = Distance.

When the position of the satellites and the distances are known, the location ofthe receiver can be calculated through triangulation.

There are a number of sources for errors in the GPS system. One of the mostcommon is the fact that the satellites transmits their signals at very low power,usually 50 watts or below, compared with local radio stations that use around100,000 watts. This means that the signals are easily distorted and obstacles likebuildings and high terrain will lower the accuracy notably. To get best result thereceiver needs a line of sight to the used satellites, so obtaining the positionindoors is usually impossible.

Another problem is the timing factor. The satellites are equipped with an atomicclock that keeps a very accurate time. But the receivers, who can’t be equippedwith an atomic clock for practical reasons, might have slight timing errorswhere one millisecond is enough to generate a 300km error. To overcome thisproblem it’s possible to add a fourth satellite in the calculations. Even withtiming error the first three satellites will give an intersection where the possiblelocation is, however inaccurate. When adding the fourth satellite it will showthat all four can’t intersect in the same place, which tells there is a timing error.By slightly changing the receiver’s time, it’s possible to find the exact timewhere all four satellites will intersect, thus the correct time has been calculated.However, this method is time consuming. The procedure has to be done overand over again, to make sure the time in the receiver is correct at all times.

4.7.1 Assisted GPS (A-GPS)

To enable an MS for GPS, a receiver chipset has to be embedded into the MS.In addition to the expense of embedding the GPS receiver, there exist a fewother problems as well. The start-up time is relative long, from 30 seconds up toa few minutes, due to long acquisition time of navigation information from thesatellites. Second, indoor and urban canyon environments, as well as smallsized cellular antennas, will prevent detecting weak signals. Third, the powerconsumption is high. To deal with these problems Assisted GPS (A-GPS) wasproposed. A-GPS also has the ability to improve some of the general GPSproblems such as timing errors mentioned above.

A-GPS is based on a method for the GPS system called Differential GPS, andthe main idea is to provide a reference network whose receivers are located atknown positions, have clear views of the sky and can operate continuously. Bymeasuring their position using the satellites and comparing that measuredposition with the known exact position, the reference receivers can determineerrors in the satellites’ signals. At request the receivers can provide moreaccurate data such as ephemeris data and clock correction. They can alsoprovide which satellites are visible in the area.


Figure 12 - Assisted GPS. Picture taken from the GSM specifications.

This system results in a number of advantages. At request the reference networksends a list of available satellites viewable by the GPS receiver in the MS, andother data that assists the receiver. This will allow the receiver to lower thestart-up time and also increase the sensor sensitivity, since it no longer has tosearch for the signals. The shorter start-up time reduces the power consumptionand will allow quicker calculations. The increased sensitivity allows thereceiver to detect weaker signals, even in some occasions detect the signalsindoors.

Since the reference network can provide clock correction, the receiver doesn’thave to use time-consuming calculations to obtain a synchronized time. Insteadit simply hands over its time references and lets the network calculate thecorrect time difference. The corrected data in the network will also aid incalculating a more accurate position.

This method is expected to provide the highest accuracy. But besides the GSPreceiver chip in the MS, the GSM network will also need to be updated with thereference network.

4.8 ConclusionOf the different methods suggested, only three are possible to use whenutilizing information from the MS only; COO, TA and NMR, see Table 1. AGPS-enabled handset would also make it possible to implement the positioningsolely in the handset. However handsets with an embedded GPS chip is bothvery rare and very expensive today. And to use A-GPS, which would bepreferable, it would still need to use the network.

Table 1 – Summary of positioning methods

Method Execution Advantages Disadvantages

COO Handset /Network

High availability

Only need contact withone BTS

No changes needed

Low accuracy


COO+TA Handset /Network

High availability

Only need contact withone BTS

No changes needed

Better accuracy thanCOO alone

Not all handsets supportTA yet.

Low accuracy

TOA Network No changes needed inthe handsets

Expensive changes, oneLMU at each BTS

TDOA Network No changes needed inthe handsets

Expensive changes, oneLMU at each BTS

E-OTD Handset +Network

Less expensive changes,one LMU at every thirdBTS

Needs changes in bothnetwork and handsets

AOA Network Only need contact withtwo BTSs

Complex and expensivechanges

NMR Handset High availability

No changes needed

Can improve resultsfrom other methods

Not all handsets supportNMR yet

Only providescalculated guesses

Can’t be used alone

GPS Handset High accuracy

No changes in thenetwork

Very low availabilityindoor

Expensive handsets

A-GPS Handset +Network

High accuracy Low availability indoor

Expensive handsets

Needs changes in thenetwork


5. Handset vs. network based positioning

When comparing the network and MS based methods, it’s important tounderstand the difference in available information. In an MS based method theinformation is restricted to what’s stored in the handset, which is informationabout the current network situation. The network, on the other hand, has agreater variety of information, or at least the potential to provide moreinformation.

The network based methods has some strong advantages over the MS based.The most distinct difference is the available methods and their accuracy level.With existing technology, network and MS based methods can today providethe same level of accuracy. But as new technologies are developed and thenetwork gets upgraded, the MS based methods will most likely not be able toprovide as high accuracy. The only method that would be able to match inaccuracy is GPS.

Both an advantage and a disadvantage of network based methods is that theyare strongly tied to the operators. A developer can’t access any informationfrom the network without the approval and cooperation from the operator. Theadvantage is that since the service must be done with the cooperation of theoperator, all information can be provided, and any eventual upgrades in thenetwork can be utilized. An MS based method gives the possibility to obtaininformation from the MS without the operator’s help. However, a lot of theinformation needed to calculate the position, such as the coordinates of theBTSs, is considered company confidential. So the operators’ cooperation is stillneeded.

An advantage of MS based methods is the shorter response time. Since nomeasurements are needed from the network, a quicker execution can beobtained. But this advantage can be lost if the network has a high latency.

On an application level the MS based methods has some advantages over thenetwork methods. If the method is executed in the handset, it’s easy to interactwith the subscriber. For example, if a user is trying to find a pizzeria in thevicinity and many results are found, the subscriber could be questioned if hewould prefer a cheaper place or one with better consumer ratings. In the case ofthe system trying to get the position of a subscriber, the subscriber could beasked depending on the occasion if he allows the system to positioning him.

Another advantage is the possibility to utilize the security functions in the SIMcard. In the example above, the user may find a pizzeria and orders the desiredpizza. To be able to pick the pizza up directly when arriving, he chooses to paythe pizza in advance using his credit card. By encrypting the data, usingalgorithms on the SIM card, the user can safely enter his credit cardinformation, and sign the transaction with his Personal Identity Number (PIN).

It would also be feasible to set up personal rules on the SIM card, whichoverrides the general rules in the network. Before execution the method firstchecks these rules whether or not it’s allowed to execute in this particularoccasion. This would provide an easy way to personalize the services andimprove the personal integrity.


These advantages on the application level are in most cases harder to provide, ifat all, in a network based method.

As mentioned above, the network based methods will eventually provide ahigher degree of accuracy. However since they need more complex methods tocalculate the position, they will in many cases have a lower availability. Whatwill happen in the future is a mixture of different methods, hybrids. Forinstance, if the handset is equipped with a GPS receiver, a mixture of A-GPSand OCC+TA could be used. A-GPS when the user is in open areas andOCC+TA when indoors, or to assist A-GPS while in urban canyons. By mixturethe network and MS based methods, the interaction with the subscriber will alsobe retained.


6. SmartTrust products

6.1 System overviewSmartTrust provides solutions for the mobile market, where the operators cangain in security and management of their systems. One of the products is theDelivery Platform (DP), which combines SM, over-the-air management, SATand WAP technologies.

Figure 13 - Delivery Platform overview

The DP can provide a complete solution for wireless application delivery. TheInternet Gateway handles the channel between the Internet and the wirelessdevice. The Service and Device Management provide control of the operatorfleet of services and devices. The Messaging platform provides an SM flow toand from the wireless devices. And the security framework makes use of thesecurity features in the SIM card to provide a base for wireless security. Thesecurity includes schemes based on both symmetrical and asymmetricalalgorithms, where the asymmetrical algorithm is one of the cornerstones inWireless Public Key Infrastructure.

Important for this work is the Wireless Internet Gateway (WIG) and its featureto communicate with the Wireless Internet Browser (WIB) on the SIM card. Insome extent this allows a non-WAP enabled handset to browse WML pages. Italso gives the functionality to push WML scripts to the MS, with or withoutinteraction from the subscriber.

The DP resides at the operator in between their PLMN and other networks, suchas the Internet.


6.2 Wireless Internet GatewayThe Internet Gateway module includes two ways for the mobile user to receiveand view information. A WAP Gateway allows WAP enabled handsets toaccess WML pages in a normal way. The Wireless Internet Gateway (WIG)allows non-WAP capable handsets to access WML-based content, if they areequipped with a SAT based WML browser on the SIM card such as theWireless Internet Browser (WIB), see below.

The WIG acts, as the name suggests, as a gateway between the Internet and thewireless device. Towards the Internet the WIG acts as a client, while against theMS it acts as a server.

An example case could be a subscriber who wishes to see a web page. The URLis sent as a request from the MS to the WIG. The WIG in its turn forwards therequest onto the Internet. When the page is received, the WIG translates thepage into a byte code that’s interpretable by the WIB. The byte code is sent tothe MS where the WIB translates it into SAT commands to show the result inthe terminal display. During this session SMs will be used as transportationbetween the WIG and the MS.

Another feature in the WIG is its push-mechanism. In the example above thesession is subscriber-initialised. By using the push-mechanism a session can bestarted through the network without interaction with the subscriber. That meansthe WIB does not only work as a browser, it can also retrieve instructionsinitiated by the system. It could either be the operator wishing to update someinformation on the SIM card, or to display some text to the subscriber. Acommercial aspect would be to push out localized advertising when thesubscriber enters a certain area.

Figure 14 – Wireless Internet Gateway principles

This push mechanism works by sending an SM containing a WML script, out tothe MS. The SM is marked as Data Download and the information is sent to theWIB, which translates the WML script into SAT commands.


6.3 Wireless Internet BrowserThe Wireless Internet Browser (WIB) is a menu-driven micro browser thatresides on the SIM card. The menu can be seen as “bookmarks”, as in a normalInternet browser, and typically points to a WML-application stored on the SIMcard, or an URL address on the Internet where the application is located.

The WIB can’t handle WML code directly, it requires a byte coderepresentation of the WML. If the application is stored on the SIM card it’salready in the correct byte code. And if the page is fetched from the Internet, theWIG will handle the transformation between WML and byte code. The bytecode in its turn is translated by the WIB into SAT commands to interact withthe handset’s interface.

An advantage the application developer gets by using the WIB is the fact that italready exists on the SIM card. In normal cases it’s the operator who owns theSIM card. In order to place new applications on the SIM card, the developerneeds permission from the operator. And normally adding a new application toa SIM card means replacing the card with a new card where the application isadded at creation. By using the WIB the application can be stored on the SIMcard after creation, or even be pushed out and executed by the WIB whenneeded.

Another advantage with the WIB is its possibility to use plug-ins. After creationa normal SIM card can’t alter its functionality. The WIB can handle plug-ins toextend its functionality to perform actions that are not standard. The plug-insworks in a similar manner to which a normal Internet browser uses plug-ins. Bycalling a specific function the WIB will know a plug-in is requested, and willpass the needed information to the corresponding application. In a normalInternet browser that can be compared to instead of using http://, which tells thebrowser a normal web page is requested, change the command to telnet://,which requests for a telnet session. Since telnet sessions are not part of thebrowser’s normal functionality, it will need a plug-in to handle the session.

An important plug-in is the function to call the SAT command Provide LocalInformation. By calling the function the application on the SIM card can getinformation from the ME such as the cell-ID or Network Measurement Result(NMR). This is utilized by the implemented demonstration to obtain necessaryinformation from the MS in order to perform the positioning calculations.


7. Implemented demonstration

For this thesis a web-based service was chosen as the demonstration. A usershould be able to enter the desired phone number on a web page, and as result amap would be returned.

The operator is simulated in this demonstration. The WIG server is connectedto one of Sonera’s7 SMSCs located in Finland, to be able to push the SMs out tothe cell phone. Needed information to perform the positioning calculations wasprovided by an operator for this demonstration only, covering a small areaaround SmartTrust’s office in Liljeholmen, Stockholm.

7.1 Positioning schemesOf the different methods available to obtain the position, only three are suitableto use when utilizing the SIM card: COO, TA and NMR (see section 4.8). Eventhough they provide the lowest accuracy, COO and TA are the only methodsused today when using network-based methods.

As described in section 3.4.2 the SAT command Provide Local Informationgives the SIM card ability to question the ME about its network information.This information includes necessary parameters to perform all three of theabove methods. And through the WIB command wigProvideLocalInfo [20] theinformation is also available to applications executed on the SIM card. Thus allthree methods are usable when building a positioning service utilizing a SIMcard, if it has the WIB.

For this demonstration, however, two setbacks occurred. First, no handset couldbe found that supports the command to question for the TA. Despite thespecifications most handsets doesn’t yet support this command.

Second, in order to use the neighbour cells in a positioning method, their exactposition must be known. This can be obtained by mapping their BSIC value andBCCH carrier to their cell ID, whose position is known. However, the NMRdoesn’t contain the actual BCCH carrier values. Instead all carrier values usedin the area are stored in a BCCH channel list, and the NMR only containsreferences to this list. Thus both the NMR object and BCCH channel list areneeded, but the channel list can’t be retrieved from the WIB.

Therefore only COO could be used for this demonstration. The TA and NMRmethods will be left for future work to implement and test.

7.2 Programming languageTo implement this web-based service Java™ Servlets, with complementingJava™ classes, was selected. The web platform consists of an Apache httpserver extended with a Tomcat Servlet engine.

7 Sonera is one of Finland’s largest operators, and owner of SmartTrust.


Inside a servlet engine there exists two kinds of memory, the session andcontext memory. A session is based upon one window in one browser at a time,i.e. the session is unique for every browser that requests a servlet. The sessionmemory can be used to store information needed in this particular session. Thecontext memory, on the other hand, can be shared between all servlets withinthe same context and can be accessed from any session. These two kinds ofmemories are used in this demonstration in order to ‘communicate’ between thefunctions user and calc (see Figure 16). More about the session and contextmemories can be read from Java’s tutorial pages [18].

To push a message to a WIG server the HTTP protocol is used on top of theTCP/IP protocol. The message will be a XML script, which contains the WMLscript addressed to an MS. The XML script is based on the WAP Push AccessProtocol [6] of which a subset is supported [21]. The WML script is based on asubset of the WML specification [20].

7.3 System structureWhen constructing the system as a web-based service, two spaces are created:the operator space and the content provider space. This demonstration uses asolution where the content provider space is more active, and the operator playsa more passive role.

In a live situation information about the GSM system is kept as strict companyconfidential. The operators in normal cases won’t give out information such asthe coordinates of the BTSs. Then a solution where the operator space isdominant is needed, see Figure 15.

Figure 15 - Operator dominant solution

The content provider hosts the web service that handles the information to andfrom the user. The function user will be in charge of the user interaction, andformatting the original request to a WML script, which is sent to the operator.When the response arrives it will use the information to make any desirableaesthetic formatting towards the user, such as connecting to a GIS server(Geographical Information System) to obtain a map representing the position.Inside the operator space the WIG will communicate with a Location Server(LS) upon receiving a response from the MS. The LS contains necessaryinformation and algorithms to calculate the position.


This case will give the operator full control over the information. Noinformation other than the calculated position will leave the operator space.

Another possible situation is that the operator will supply the content providerwith necessary information, in some extent. This would allow a more contentprovider dominant solution and the service wouldn’t be as fixed to the operator.The main advantage with this case is the possibility for the content provider tomake agreements with several operators to be part of the service. In theprevious case only the subscribers of that single operator can make use of theservice.

As with the previous case the content provider hosts the function user withsame functionality. The main difference is the LS that have been split into twonew entities; a database db and a new function calc that will be in charge of thecalculations, see Figure 16.

Figure 16 - Content provider dominant solution

When receiving a response from an MS the operator will forward the message,unprocessed, to the function calc. With the necessary information requestedfrom db, calc will calculate the position and provide user with the result.

Basically the usage of calc and db could be maintained in any combination,depending on how much information the operator is willing to provide. Hostingboth calc and db in the same space would give them the same functionality asthe LS, but the information wouldn’t be kept strictly inside the operator space.

In this demonstration the second case of solution has been used

7.3.1 WML script

An important part of the system is the WML script sent to the WIB. Figure 17shows an example of the WML script used for this demonstration.

Both lines of the script use the “go href” element in the WML standard. Thefirst line, however, use the character “#” to tell the WIB the plug-inwigProvideLocalInfo should be used. The WIB executes the command andstores the result in the variable “loc” [20].


<wml><go href=”http://www.smarttrust.com#wigProvideLocalInfo(00,’loc’)”/>

<go href=”http://172.16.10.185/demo/servlet/MessageReceiver?LOC=$(loc)&session=hq4z7lk&counter=3”/>

<wml>Figure 17 - WML script requesting location information

In the second line the “go href” element is used as a normal HTTP request. Ittells the WIG to relay the request to the servlet MessageReceiver, i.e. part of thefunction calc. The servlet will receive four different in-parameters. First theWIB will substitute the variable “loc” and send it as the parameter LOC. Thesession and counter parameters are set at creation of the script in the functionuser. Finally the MSISDN is automatically appended to the request as the string“&MSISDN=xxxxxxxxxxxxx” [22]. The session and counter parameter is usedfor error detection, and to make sure the response is given to the correct user.

7.3.2 User interaction function

As described above, the function user handles the communications with theuser, and consists of a group of Java™ servlets and classes. Figure 18 illustratesthe functionality of the function user.

Figure 18 - Flowchart for function user

Upon receiving a request the MSISDN is controlled against the database db, seesection 7.3.4, to verify that the service is allowed to obtain the position of thenumber. Then the necessary WML script is created, using information from thecurrent session. After pushing the message to the WIG server, user enters awaiting state before checking if the result has arrived. If it hasn’t it returns tothe waiting state, until a timeout value is reached. During this waiting time themessage is pushed to the MS, the response sent to the function calc where theposition is calculated and finally the result is stored in the context memory. Thecontext memory is used because it is shared between user and calc.

When user can retrieve a result from the context memory it means the positionis calculated. The result is used when creating the web page used as response tothe user.


7.3.3 Calculation function

When the WIG server receives the response from the MS, it forwards theunprocessed data to the function calc, see Figure 16. After making error checks,to make sure it should handle the response, it starts to decode the in data.

Figure 19 - Flowchart for function calc

In this demonstration decoding the in data is the major part of calc. Since onlythe method COO is used, no calculation other than the database lookup isneeded.

When the position is obtained the result is stored in the context memory foruser to retrieve.

7.3.4 Database

In the test environment a Microsoft Access database is used. The database, db,contains two kind of information: MSISDN info and BTS info.

MSISDN info

In order to verify which numbers the system is allowed to obtain a position of,db contains a list of numbers that either has disabled the service or allowed it.Thus when the user function requests to verify an MSISDN it can get threedifferent states: Not in database, service disabled or service allowed. Thesecond and third states are obvious and should be treated thereafter. The firststate, however, could mean the subscriber isn’t aware of the service. This casecould be treated differently, for example send a question to the subscriberasking if the current positioning request is allowed. In this demonstration theservice won’t be allowed if the numbers is not in the db.

BTS info

The BTS info is the most important information in any positioning service.Without the coordinates of the different BTSs it isn’t possible to calculate anyposition. The db contains a simple mapping between the cell IDs and theircorresponding coordinates, as provided by the operator for this demonstration.

7.3.5 Message flow

During a positioning request a lot of messages goes through the entire system.The main flow of messages is illustrated in Figure 20.


At initialisation of the service, user receives a request from a user containingthe requested MSISDN. After creation of the WML script (see Figure 17) it issent to the operator and their WIG server, where the script is pushed out ontothe GSM network as an SM.

In the subscriber’s MS the ME is constantly asking the SIM card for anyproactive commands to execute, as part of the proactive mechanism. At thearrival of the SM, the ME identifies it as a Data Download message anddownloads it onto the SIM card and the WIB for execution. The WIB will theninitiate two proactive commands, Provide Local Information (PLI) and finallysend the result from previous command as an SM.

Figure 20 – The message flow during a positioning request

As defined in the WML script, the result is sent to the function calc in thecontent provider space, where necessary calculations and database lookups aredone. Finally the calculated position is returned to the function user and theresult can be displayed to the user.

7.4 ResultsThe demonstration successfully implements a positioning method based on theSIM card. The accuracy provided is the same as available network basedmethods today. In this implementation, however, only the position of the BTScan be shown. In order to calculate the radii around the BTSs in which thepossible position should be, the transmitted signal strength is needed. But theoperator that supplied information for this demonstration did not provide thisparticular information.


During discussions with people responsible for SmartTrust’s demo platform,the point was raised that for a demonstration purpose towards potentialcustomers, it might be enough to locate the country and network in which thecell phone is located. That would provide enough information to use whendemonstrating the products on the international market. The demonstration iscapable of this without connection or cooperation with any operator.

As a result to the request a simple map over Liljeholmen, Stockholm isdisplayed, where the positions of SmartTrust’s office and current BTS aremarked with symbols, see Figure 21.

Figure 21 - Example of a result map

The demonstration also shows a list with the available network information.And obtainable NMR information can be displayed, even though it can’t be partof the positioning method.


8. Future work

This demonstration only implemented a part of what theoretically could bedone. The TA method and NMR information could be used to enhance theresults. To implement the TA a compliant cellular phone must be found, whichshould be possible in the near future. In order to utilize the NMR informationthe WIB will need some improvements. The GSM specifications state theoption to obtain the so-called BCCH channel list, which is needed ascompliment to the NMR information. If this list can be obtained through theWIB then it will be possible to utilize the information in a practical manner.

Another possible improvement in the WIB is to allow a SAT mechanism calledProfile Download. During the execution of a WML script, any command notsupported by the ME will cause the execution to halt, and display an errormessage in the ME’s display. This would be the case, for instance, if the TAmethod were requested on a cellular phone that’s not compliant with thatcommand. The Profile Download mechanism provides the means to questionthe ME of what commands it supports. If the WIB would provide thiscommand, it could be possible to customize the WML script on whichpositioning method to use, depending on what the ME supports.

If this demonstration were to become part of a commercial product, severalimprovements would be required. The personal integrity could be improvedsignificantly. Now only a two-state option exists, disabled or allowed. It wouldbe desirable to extend that into more options, for example on a time basis. Otherparts, such as security or failure tolerant functions, would desire improvements.


9. Conclusions

The objective for this thesis had two parts. The first was to investigate howlocation-based services can be done, using information available in the cellulartelephone. The second part was to implement a demonstration.

During the work I have shown it is possible to utilize the SIM card to perform alocation-based service. First the GSM system was discussed, and methods wasshown how to extract certain information from the cellular phones. By using aSIM card with an installed micro browser it is possible to obtain networkinformation from the handsets, through the use of SIM Application Toolkit(SAT) commands. Then different positioning methods were discussed, of whichthree was shown to work solely with the information obtainable from thecellular phones; Cell Of Origin (COO), Timing Advance (TA) and NetworkMeasurement Result (NMR).

As of today these methods, except for NMR, are the same as in use through thenetwork. Thus location-based services using the SIM card can today provide thesame level of accuracy in the calculated position. If a higher degree of accuracyis needed, however, the methods based on the SIM card alone will eventuallynot be sufficient. In order to further develop these methods in the future, moreinformation must be available from the cellular telephone, which would requirechanges in the specifications. The proposed network based methods, on theother hand, utilizes existing specifications in new ways. As the networkscontinue to be upgraded, and the demands for more accurate service grow, thennetwork based method will be more suitable.

However, the network based methods lacks a couple of things in comparisonwith the methods based on the SIM card. One is the possibility to interact withthe subscribers. Many of the network based methods doesn’t include the phonein their schemes, other than listening to its signals. This will limit the optionsfor the subscribers to personalize the services. Also the possibility to utilize theexisting security functions is lost. To retain these qualities it’s likely that thefuture solutions will consist of a mixture of network and handset basedmethods.


10.List of references

1. Williamson S. Svensk telemarknad 2000, Post & Telestyrelsen 2001

2. Press release, Ovum,http://www.ovum.com/press/pressreleases/default.asp?wp=mls.htmAccessed 2001-06-25

3. Enhanced 911, FCC, http://www.fcc.gov/e911/, Accessed 2001-06-10

4. Location Inter-operability Forum, http://www.locationforum.org/

5. Wireless Location Industry Association, http://www.wliaonline.org/

6. WAP Forum, http://www.wapforum.com

7. GSM 03.71, Digital cellular telecommunications system (Phase 2+);Location Services (LCS); (Functional description) - Stage 2, version8.0.0, ETSI 2000

8. GSM 04.18, Digital cellular telecommunications system (Phase 2+);Mobile radio interface layer 3 specification, Radio Resource ControlProtocol, version 8.5.0, ETSI 2000

9. GSM 05.10, Digital cellular telecommunications system (Phase 2+);Radio subsystem synchronization, version 8.4.0, ETSI 2000

10. GSM 11.11, Digital cellular telecommunications system (Phase 2+);Specification of the Subscriber Identity Module - Mobile Equipment(SIM - ME) interface, version 8.3.0, ETSI 2000

11. GSM 11.14, Digital cellular telecommunications system (Phase 2+);Specification of the SIM Application Toolkit for the Subscriber IdentityModule - Mobile Equipment (SIM - ME) interface, version 8.3.0, ETSI2000

12. GSM - Association Subscriber Statistics, GSM Worldhttp://www.gsmworld.com/membership/ass_sub_stats.html,Accessed 2001-07-30

13. GSM – Association Subscriber Forecast, GSM Worldhttp://www.gsmworld.com/membership/ass_sub_fore.html, Accessed2001-07-30

14. GSM – SMS Graph, GSM Worldhttp://www.gsmworld.com/membership/graph_sms.html,Accessed 2001-08-15

15. Mouly M. and Pautet M.B. The GSM System for MobileCommunications, Telecom Publishing 1992

16. Garmin: What is GPS?, Garmin, http://www.garmin.com/aboutGPS/,Accessed 2001-10-27

17. GSM System Overview, Apis Technical Training 1998


18. The Java™ Tutorial: Servlets, java.sun.com,http://java.sun.com/docs/books/tutorial/servlets, Accessed 2001-09-15

19. Facts and figures, SmartTrust,http://www.smarttrust.com/seczone/facts_figures.html,Accessed 2001-08-17

20. WML Specification – Wireless Internet Gateway, Doc. nr. ST1745519rev. E, SmartTrust 2000

21. Push Request Protocol Specification, Doc. Nr. ST17455122 rev. B,SmartTrust 2001

22. Browser Request Protocol Specification, Doc. Nr. 17455121 rev. C,SmartTrust 2001


Appendix A: Abbreviations

AGCH Access Granted Channel

A-GPS Assisted GPS

AOA Angle Of Arrival

BCCH Broadcast Control Channel

BSIC Base transceiver Station Identity Code

BSS Base Station System

BTS Base Transceiver Station

COO Cell Of Origin

E-OTD Enhanced Observed Time Difference

ETSI European Telecommunications Standards Institute

FACCH Fast Associated Control Channel

FCCH Frequency Correction Channel

FDMA Frequency Division Multiple Access

GPS Global Positioning System

GSM Global System for Mobile communications

IMEI International Mobile Equipment Identity

IMSI International Mobile Subscriber Identity

LAI Location Area Identity

LBS Location Based Services

LMU Location Measurement Unit

ME Mobile Equipment

MS Mobile Station

MSC Mobile services Switching Center

MSISDN Mobile Station International ISDN Number

NMR Network Measurement Results

PCH Paging Channel

PIN Personal Identification Number

PLMN Public Land Mobile Network

PSTN Public Switched Telephony Network

RACH Random Access Channel


SACCH Slow Associated Control Channel

SAT SIM Application Toolkit

SCH Synchronisation Channel

SDCCH Stand-alone Dedicated Control Channel

SIM Subscriber Identity Module

SM Short Message

SMS Short Message Service

SMSC Short Message Service Center

TA Timing Advance

TCH Traffic Channel

TDMA Time Division Multiple Access

TDOA Time Difference of Arrival

TMSI Temporary Mobile Subscriber Identity

TOA Time Of Arrival

WAP Wireless Application Protocol

WIB Wireless Internet Browser

WIG Wireless Internet Gateway

WML Wireless Markup Language


Appendix B: SIM Application Toolkit features

The SAT commands can be divided into different categories:

Control of the Man-Machine interface

This type of commands allows the SIM to exchange information with the user.

- Select ItemAllows the SIM to build up a sub-menu with a list of items, where the itemselected by the user is returned.

- Display TextShows a text in the display of the ME.

- Get InkeyAsks the user to answer with a single character, for example ‘Y’ or ‘N’.

- Get InputAsks the user to input a string, for example their name.

- Play TonePlays and audio tone that’s pre-defined in the ME. For example play anerror tone if the wrong character is typed.

Communication services

Allows the SIM to initiate actions, through the ME, that will be sent to thenetwork.

- Set Up CallRequests the ME to set up an automatic call to the given number.

- Send Short MessageInstructs the ME to set up and send a short message.

- Send SSSends a Supplementary Service Control to the ME in order to request asupplementary service from the network, such as Call Forwarding.

- Send USSDSends an Unstructured Supplementary Service Data message.

- Cell Broadcast DownloadUsed to update data on the SIM card, such as downloading newapplications to the SIM. The message is broadcasted to all MS in theregion.

- SMS PP DownloadAllows data to be downloaded through the SM channel on card-by-cardbasis (Point-to-Point).

- Call ControlCan be used to control outgoing calls. For example check for unauthorisednumbers, or extending abbreviated phone numbers.


- Mobile Originated Short Message ControlCan be used to force the ME to ask the SIM for permission before sendingany SM.

- Provide Local InformationAllows the SIM to question the ME about its current location. Informationsuch as Country code, Location Area and cell ID can be obtained.

Menu management and application control

- Set Up MenuSets up a new menu item list during initialising of the ME, which willinclude these menu items in its own menu.

- Menu SelectionMechanism used to transfer the SIM application menu item selected by theuser to the SIM.

- More TimeAllows a task more time for processing, if the processing is long enough toaffect normal GSM operation.

- Event DownloadCommand sent from the ME to the SIM to state an event has occurred.Allows the SIM to react to other events than user-driven.

- Set Up Event ListUsed by the SIM to tell the ME of which events it wants to be notifiedabout.

- Timer Management / Timer ExpirationAllows the SIM to manage the ME’s timer. For example to set up areminder application.

positioning of a cellular phone using the sim

Documents

content provider hosts

browse wml pages

base transceiver station

subscriber identity module

content provider space

normal internet browser

wireless internet gateway

emergency call centres