RRLP » History » Version 4
admin, 02/19/2016 10:52 PM
typo in spec number
1 | 2 | admin | [[PageOutline]] |
---|---|---|---|
2 | 1 | admin | = RRLP = |
3 | |||
4 | 4 | admin | RRLP is the ''Radio Resource LCS (Location Service) Protocol'' as specified first in GSM TS 04.31 |
5 | 1 | admin | |
6 | It allows the GSM network operator to obtain very precise location information about a mobile phone, |
||
7 | much more precise than is required for normal operation of the cellular network. |
||
8 | |||
9 | The use of RRLP has been specified for emergency calls. However, nothing in its specification |
||
10 | restricts its use to this application. |
||
11 | |||
12 | In all known phones, RRLP operation is completely invisible to the user of the phone. |
||
13 | |||
14 | As GSM networks do not need to authenticate themselves, anyone can run a ''false BTS'' attack and |
||
15 | successively obtain precise position information on a given mobile phone. |
||
16 | |||
17 | 2 | admin | The popular Free Software implementations of the GSM network [http://openbsc.osmocom.org/ OpenBSC] |
18 | and [http://openbts.sourceforge.net/ OpenBTS] both support RRLP inquiries to mobile phones |
||
19 | |||
20 | 1 | admin | == RRLP Modes == |
21 | |||
22 | RRLP operates in different ''modes''. |
||
23 | |||
24 | == MS-based GPS == |
||
25 | |||
26 | In this method, the phone operates a stand-alone GPS receiver like it can be found in personal navigation devices. |
||
27 | |||
28 | The GPS receiver will do the regular GPS receive process, i.e. |
||
29 | * iterate over the list of 64 possible scrambling codes and acquire the C/A signal |
||
30 | * decode the actual data signal modulated onto the C/A carrier |
||
31 | * measure the timing difference of arrival (TDOA) of the various satellite signals |
||
32 | * compute a location estimate (GPS coordinates) based on the measurements |
||
33 | |||
34 | This complete GPS position fix is then communicated to the SMLC inside the GSM core network. |
||
35 | |||
36 | === Assistance Data === |
||
37 | |||
38 | Most RRLP capable phones will request GPS assistance data from the network. |
||
39 | |||
40 | The operation of the GPS receiver is similar to the regular MS-based GPS aporach described above, |
||
41 | however the GPS receiver is now an A-GPS receiver that already knows the almanac/ephemeris data and |
||
42 | can thus much more quickly acquire the signal. |
||
43 | 2 | admin | |
44 | [http://git.osmocom.org/gitweb?p=osmocom-lcs.git;a=summary osmocom-lcs.git] contains a program |
||
45 | that obtains the ephemeris data from an u-blox GPS receiver and structures/encodes it in the format |
||
46 | needed by RRLP |
||
47 | 1 | admin | |
48 | == MS-assisted GPS == |
||
49 | |||
50 | In MS-assisted GPS, the MS does not compute the actual location. Instead, the location/position |
||
51 | of the phone is computed in the SMLC (part of the GSM core network). |
||
52 | |||
53 | 3 | admin | The SMLC provides detailed information about the current GPS signal to the phone, such as: |
54 | * which satellites are currently in the visible part of the hemisphere (and implicitly their scrambling code) |
||
55 | * the expected ''doppler shift'' observed at the MS location, caused by satellite movement relative to MS |
||
56 | * the expected ''code phase'', i.e. the difference between a specified GSM bit and the GPS signal chip / bit |
||
57 | * the azimuth and elevation of the satellite |
||
58 | |||
59 | Based on this information, the phone does not have to do a full search/acquisition like a stand-alone GPS receiver. |
||
60 | |||
61 | Instead, it can do a very narrow search for each satellite in question, as it already knows |
||
62 | * at which doppler shift / range to expect the signal |
||
63 | * which pseudo-random scrambling sequence to use |
||
64 | * a very narrow position within the scrambling sequence |
||
65 | |||
66 | This significantly reduces the need for cross-correlation inside the phone. |
||
67 | 1 | admin | |
68 | == E-OTD == |
||
69 | |||
70 | FIXME |