GSM localization - triangulation

[gm]

Hi !

Am making one project with my sim900 module and AT command set.
The goal is to get , as much as possible, correct location of my gsm
modem. This is what i tried so far:

AT+COPS?
-----------
+COPS: 0,0,"Tele2"
OK


AT+CREG?
-----------
+CREG: 0,1
OK

Parameters:
<mode> 0 - automatic choice (the parameter <oper> will be ignored)
<format> 1 - alphanumeric short form

AT+CGREG?
----------
+CGREG: 2,1,"006F","263F"

Am getting good location but just one line and one tower...

AT+CGREG=?
---------
+CGREG: (0,1,2)
OK

What does this 3 parameters do ? Should there not be just two ?
How can i call AT+CGREG[=[<n>]] with this "n" number.

Anyway, help needed on setting basic triangulation.

Thank you in advance !
GM

[John Henderson]

gm wrote:

> Am making one project with my sim900 module and AT command set.
> The goal is to get , as much as possible, correct location of my gsm
> modem. This is what i tried so far:

I'm commenting on the things you raise out of order. I want to tackle
the following aspect first, because it may affect your understanding of
AT commands generally.

> AT+CGREG=?
> ---------
> +CGREG: (0,1,2)
> OK
>
> What does this 3 parameters do ? Should there not be just two ?
> How can i call AT+CGREG[=[<n>]] with this "n" number.

I think you've misunderstod the query forma of AT command syntax. They
are not three parameters, but three supported alternative values for
parameter 1.

Let's take this AT+CGREG command as our example. Certain (but far
from all) commands have three types of syntax. They are:

1. Set the value for the command on the modem. If you want to
set +CGREG to zero, the command is "AT+CGREG=0".

2. Query the present value. The syntax for that is "AT+CGREG?".

3. Query the range of values supported by the modem. This is the
"AT+CGREG=?" command.

In the case of this command, only the first parameter can be set.
That's the mode of responses to subsequent "AT+CGREG?" commands.

Your "AT+CGREG=?" command result is telling you that +CGREG can be set
to either 0, or 1, or 2. The other value defined in 3GPP 27.007 is 3,
and your modem is telling you that it doesn't support being set to 3.

> AT+CGREG?
> ----------
> +CGREG: 2,1,"006F","263F"

This is telling you that you've got +CGREG set to 2.

The 1 in the second parameter says that your modem is registered on your
home network.

And then there's the LAC and cell ID, of course.

If +CGREG was set to 0 or to 1, you'd not be getting LAC and cell ID
information.

Now modes 1 and 2 also provide unsolicited reports. That's to say,
you'll get a "+CGREG: ..." result whenever there's a change in the
cellular environment which affects +CGREG.

> AT+COPS?
> -----------
> +COPS: 0,0,"Tele2"
> OK

That's giving you the operator name. You can set it to give you the
network ID (MCC concatenated with MNC) instead, using "AT+COPS?" after
configuring it first with "AT+COPS=3,2".

The nalue 3 in the first parameter means "leave the value in the first
parameter unchanged".

Assuming that you don't have a data connection up, the command
"AT+COPS=?" will do a little more than report supported values. It does
a network scan, and will report all networks visible to your modem at
the time. It can take a while (from several seconds to more than a
minute) to come back with results.

> AT+CREG?
> -----------
> +CREG: 0,1
> OK
>
> Parameters:
> <mode> 0 - automatic choice (the parameter <oper> will be ignored)
> <format> 1 - alphanumeric short form

I don't know where you got that bit about <format> from, but it's
not right. It seems to me that you're thinking about the "AT+COPS"
command there.

In fact, "AT+CREG" and "AT+CGREG" behave in the same way. The differnce
is that "AT+CREG" lives in the circuit-switched domain, while "AT+CGREG"
works in the packet domain (ie, with GPRS as far as GSM is concerned).
Personally, I'd avoid any potential problems with the APNs required for
GPRS, and use "AT+CREG=2" instead.

In fact, if you want a one-shot reading of LAC and cell ID, with no
unexpected unsolicited results to follow, you can do that with the
composite command:

AT+CREG=2;+CREG?;+CREG=0

> Am getting good location but just one line and one tower...

You need to get out more :).

> Anyway, help needed on setting basic triangulation.

I downloaded an AT command reference for your module from:
http://www.espruino.com/datasheets/SIM900_AT.pdf

There are some very powerful commands available in engineering mode,
including what looks to me like Network Management Results. This should
give you at least signal strenghts for the strongest 6 neighbouring
cells.

It looks like you can also read the timing advance (TA) value. Multiply
that value by 553.5 metres to give you the approximate distance to the
cell you're camped on. If you're moving, or if the cell changes, you
need to interact with the tower so that the module updates the TA
value. Otherwise it'll be stale.

In the past, I've used "AT+CLIP?" to force such an interaction, and
refresh the TA value.

John

[John Henderson]

I wrote:

> Network Management Results

I meant to say Network Measurement Results, of course :(

John

[gm]

John, THANK YOU very much for this 101 tutorial.
I will read this few more times so i can set some basic setup.
Anyhow, if you have any more suggestions, please be so kind and write it
down...

GM

[John Henderson]

gm wrote:

> Anyhow, if you have any more suggestions, please be so kind and write it
> down...

The flippant answer is to buy a GSM modem like the Sierra Wireless 312U
(no longer available new). It has an onboard GPS receiver which can be
activated, and the exact position of the modem read with a few AT
commands.

But persevering with your SIM900, the big question is what you can get
out of engineering mode.

I'd try:

AT+CENG=3

followed by:

AT+CENG?

Without a SIM900 myself, I'm not in a position to explore further. I'm
sure you'll have further questions as you progress.

John

[gm]

I was thinking on buying such product but the end user want's to go with
sim900 ( because of budget )

I forget to write in the original topic that i have tried this commands too:

AT+COPS=?
AT+CSQ
AT+CREG=2
AT+CREG ?

The answer was:
+COPS: (2,"TELE2","","21902"),(1,"T-Mobile
HR","T-Mobile","21901"),(3,"HR VIP","VIP","21910"),,(0,1,4),(0,1,2)

+CSQ: 14,0

AT+CREG?
+CREG: 2,1,"006F","1C90"

The location is cca 10 km away from my original location...
What do you think about this ?

Am going to make test with your suggestion and will write back the results.

GM

[John Henderson]

gm wrote:

> I forget to write in the original topic that i have tried this commands too:
>
> AT+COPS=?
> AT+CSQ
> AT+CREG=2
> AT+CREG ?
>
> The answer was:
> +COPS: (2,"TELE2","","21902"),(1,"T-Mobile
> HR","T-Mobile","21901"),(3,"HR VIP","VIP","21910"),,(0,1,4),(0,1,2)

Now, if you'd done "AT+COPS=3,2" first, you'd get MCC and MNC
data instead of the operator names.

> +CSQ: 14,0

That's an RSSI value of -85 dBm ((14 * 2) - 113).

> AT+CREG?
> +CREG: 2,1,"006F","1C90"

If you're in Croatia, and your MCC is 219 and your MNC is 02, then you
can get an approximate location of this cell by going to
http://www.minigps.net/map.html and entering the four field values
"219", "02", "6F" and "1C90". Tick the little box marked "16" to the
right, as your LAC and cell ID values are in hexadecimal. Enter the
displayed VeriCode to prove you're human, and you'll get a map.

> The location is cca 10 km away from my original location...
> What do you think about this ?

-85 dBm is perfectly adequate signal.

John

[John Henderson]

gm wrote:

> +COPS: (2,"TELE2","","21902"),(1,"T-Mobile HR","T-Mobile","21901"),(3,"HR VIP","VIP","21910"),,(0,1,4),(0,1,2)

Looking more closely at that result, I see that it's got the MCC/MNC
info there as well as the name.

But looking at the first argument within the three sets of brackets
which show a detected network, they show <stat> information.

<stat> values are:

1 - available
2 - current
3 - forbidden

So you're camped on MCC 219 and MNC 02 as I suspected from the "TELE2"
before I noticed them there.

> AT+CREG?
> +CREG: 2,1,"006F","1C90"

And the second argument ("1") in that result shows that you're on the
SIM's home network. If that was a "5", the device would be roaming

The SIM is also permitted to roam onto network ID 21901, but not onto
21910.

John

[gm]

Great info, thank you.
I am located in Croatia and i have used

http://cellidfinder.com/cells/findcell to get geolocation.

Am gonna make some additional tests today, and i let you know the results.

GM

[John Henderson]

gm wrote:

> I ... have used

>
> http://cellidfinder.com/cells/findcell to get geolocation.

Thanks for the link, which I've bookmarked. There are quite a few cell-
finding sites. Most rely on data collected from GPS-enabled smartphones
running appropriate apps. As such, the locations are approximate, with some
of the issues discussed here:
http://wiki.opencellid.org/wiki/FAQ#I_know_where_cell_tower_x_exactly_is_but_OpenCellID_shows_another_position

The Chinese site I mentioned has particularly comprehensive data (collected
from many sources).

John

[gm]

Hi John.
This are the results from today:

After i set AT+COPS=3,2

i get correct answer, so the first part is done.

+COPS: (2,"TELE2","","21902"),(3,"HR VIP","VIP","21910"),(1,"T-Mobile
HR","T-Mobile","21901"),(1,"H pannon
3G","pannon3G","21601"),,(0,1,4),(0,1,2)

Am guessing that this are the right 3 towers...
The problem is that am missing LAC and ID of those towers.

As far as i understand from the older tests LAC i ID can be obtained
just from the one on which i am connected. Am i right ? If so, how to
get other two ?

Connecting to one tower:
AT+CREG=2
OK
AT+CREG?
+CREG: 2,1,"006F","263F"
OK

Maybe i can not connect to other towers because the SIM card wont allow
connection to "foreign" network, but only to his own ?


GM

//-----------------------------------------------------------

[John Henderson]

gm wrote:

> +COPS: (2,"TELE2","","21902"),(3,"HR VIP","VIP","21910"),(1,"T-Mobile
> HR","T-Mobile","21901"),(1,"H pannon
> 3G","pannon3G","21601"),,(0,1,4),(0,1,2)
>
> Am guessing that this are the right 3 towers...
> The problem is that am missing LAC and ID of those towers.

The "AT+COPS=?" command returns a list of visible mobile NETWORKS (not cells
or towers). From your module, in your location, at that particular time,
that's:

MCC MNC Name
219 02 Tele2
219 10 VIPnet
219 01 T-Mobile
216 01 Telenor Hungary

see: http://www.itu.int/dms_pub/itu-t/opb/sp/T-SP-E.212B-2015-PDF-E.pdf for
an MCC/MNC list.

> As far as i understand from the older tests LAC i ID can be obtained
> just from the one on which i am connected. Am i right ? If so, how to
> get other two ?

Yes, you can get the LAC and cell ID of just the individual cell that your
module is camped on. That is to say, you can get information about the
"serving cell" once you're registered onto a network.

> Connecting to one tower:
> AT+CREG=2
> OK
> AT+CREG?
> +CREG: 2,1,"006F","263F"
> OK
>
> Maybe i can not connect to other towers because the SIM card wont allow
> connection to "foreign" network, but only to his own ?

If a network is "forbidden", like the "(3,"HR VIP","VIP","21910")" above,
then you can never camp on one of its cells. You're currently registered
with the network "(2,"TELE2","","21902")" above, so the LAC and cell ID
you're seeing belong to that network.

The other two networks are "available". So you could potentially roam onto
those, and read off the cell information from one of those when you camped
there.

Normally, it's impossible to get a cell ID from a cell without camping on
it.

Within a network, you'll have very little (if any) ability to influence
which cell your module camps on (other than by moving the module to a
different place, of course).

Let's see what additional information we can get from the engineering
commands:

AT+CENG=3

followed by:

AT+CENG?

John

[gm]

Hi John !
The latest update:

AT+CENG=3
OK

AT+CENG?
+CENG: 3,0

+CENG:0,219,02,006f,263f,23,26 -- tele2
+CENG:1,219,01,3ee5,407c,03,37 -- tmobile
+CENG:2,219,01,3f16,40a3,70,33 -- tmobile
+CENG:3,219,02,006f,2642,23,17 -- tele2
+CENG:4,219,02,006f,2618,10,14 -- tele2
+CENG:5,219,01,3f16,40a2,26,27 -- tmobile
+CENG:6,219,01,3ee5,40b5,45,22 -- tmobile

I want to check this stations directly on the field and they ware very
accurate. Now i have to see how to define existing header files from
manufacturer to fit our needs. So far i can just say thank you :-)
I will update you with new infos.

GM

[John Henderson]

gm wrote:

> Hi John !
> The latest update:
>
> AT+CENG=3
> OK
>
> AT+CENG?
> +CENG: 3,0
>
> +CENG:0,219,02,006f,263f,23,26 -- tele2
> +CENG:1,219,01,3ee5,407c,03,37 -- tmobile
> +CENG:2,219,01,3f16,40a3,70,33 -- tmobile
> +CENG:3,219,02,006f,2642,23,17 -- tele2
> +CENG:4,219,02,006f,2618,10,14 -- tele2
> +CENG:5,219,01,3f16,40a2,26,27 -- tmobile
> +CENG:6,219,01,3ee5,40b5,45,22 -- tmobile
>
> I want to check this stations directly on the field and they ware very
> accurate. Now i have to see how to define existing header files from
> manufacturer to fit our needs. So far i can just say thank you :-)
> I will update you with new infos.

The next thing you should do is try for even more information, including
Timing Advance. You should try the command:

AT+CENG=2

I'm not sure whether or not you also need to do:

AT+CENG?

afterwards. Try that too if the first command doesn't give you all the
information already.

John