Distance from module to base station

Which AT command can I use to know the distance between the module and the Base Station (EnodeB) for 2G, 3G and 4G?

Unfortunately,we do not have that permission.The location information of the base station belongs to the operator and is not available. Obtaining the carrier’s base station information is an illegal act.

Any GSM module gives us an AT command to read the TA (Timing Advance)

GSM location by Timing Advance

GSM module located by Timing advance and GSM sector antenna

There is several theories for GSM locating. Here we concentrate on locating by Timing Advance (TA) combined with Angle of Arrival and analysing sector antennas. The TA value is usually between 0 and 63, each step representing an advance of one bit period (approximately 3.69 microseconds). With radio waves travelling at about 300 meters per microsecond, one TA step then represents a change in round-trip distance (twice the propagation range) of about 1100 meters. This means that the TA value changes each 550 meter, change in the range between a GSM module and the base station. This limit of 63 Ă— 550 meters is the maximum 35 km distance that a device can be from a base station and is the upper bound on cell placement distance.

If you are able to catch the Timing Advance twice or even more often, then you are able to calculate the position even more accurate. One option could be to use the AT command for GSM band selection. If you are in Europe then you select GSM 900 / 1900 and after that you select GSM 850 /1800. GSM 850 and GSM 1900 does not exist in Europe. This will force a registration to a GSM 900 MHz cell and a GSM 1800 MHz cell. Another option could be to use two different SIM cards or even better a foreign SIM card. If you are on roaming, then you can get the TA from different GSM operators.

FAQ on GSM location

1. I want to know how we can Extract Cell Id’s and who is in the specific BTS Scope ?

You can use the monitor commands or the EASY SCAN commands. AT#MONI gives you the values listed das below:
#MONI: TDC MOBIL BSIC:54 RxQual:0 LAC:0155 Id:1282 ARFCN:46 PWR:-77dbm TA:3
TA:3 means Timing Advance of 3.

2. How we can find out BTS ID change when we are moving in a town?

If you buy the Cell IDs database from your local operator, then you will now which Cell IDs are in a city. You can also do it by probability calculation. In cities you will always find more base stations then outside of the city.

3. How we can Send Message (SMS), which was extracted in first step?

A GSM module with micro controller on same PCB can do that job. You collect the Cell IDs and forward it by SMS or GPRS.

4. Is there any way to convert Cell ID to its Mobile Number?

Are you asking for a database which shows which mobile phone is registered to which base station? The GSM operators in some countries offers ready to use access to such GSM based location services.

5. Is there any way to find location of specific Mobile Station? For example find now where is my son?

  • In UK you get a list of the base station on website http://www.sitefinder.radio.gov.uk/
  • In Germany O2 transmits the location of the base station by SMS cell broadcast
  • In South Africa the GSM operators transmit the street name of the base station by SMS cell broadcast
  • In Germany the GSM operators are transmitting the prefix of the landline phone number area code by SMS cell broadcast. “030” is Berlin and “069” for example is Frankfurt.

6- Is there any need to Specific Service on Network Provider?

If you would not like to invest in an own location based service, then most time there is a specific service necessary. In Germany, UK, France and a lot of more countries you can get location services based on a special location service contract.

Source: http://www.gsm-modem.de/gsm-location.html
http://www.gsm-modem.de/faq-gsm-loaction.html

3 Likes

Micael, the distance you get by reading Time Advance (TA) with the monitor commands in steps of 512 meter. The accuracy is 1TA +/- 1TA. With the evaluation of RSSI and Kalman filters you can optimize the result.

Tracking indoor and outdoor by GNSS and cell ID

Enjoy the reading.

1 Like

AT#MONI looks like a vendor specific AT command and it’s not supported by Quectel modems.

It seems AT+QENG="servingcell" could be used for that purpose, but the TA field is always empty in my tests.
Is there another AT command to get the Time Advance parameter?

  1. Which module you have tested?
  2. With which firmware you have tested?
    Monitoring commands are not an ETSI command. They are vendor-specific. My test was made with Quectel BG96 on akorIoT SensPRO 1. The picture below is showing akorIoT SensPRO 2. The TA is a value related to GSM. Have you used GSM/GPRS?

Hi Harald,
I used AT+QENG on a BG95-M3 (same as in your picture?) with a roaming SIM in GSM mode.
Firmware version is BG95M3LAR02A03_01.011.01.011

AT+CREG?
+CREG: 0,5
OK
AT+CGREG?
+CGREG: 0,5
OK
AT+CEREG?
+CEREG: 0,4
OK
AT+QIACT?
+QIACT: 1,1,1,“10.109.160.137”
OK

Then:

AT+QENG=“servingcell”
+QENG: “servingcell”,“NOCONN”,“GSM”,222,88,86F9,7A83,58,110, ,-88,255,255,0,17,47,1, , , , , , , , , ,
OK
AT+QENG=“neighbourcell”
+QENG: “neighbourcell”,“GSM”,222,88,86F9,7A82,61,119,-103,2,32,0,0
+QENG: “neighbourcell”,“GSM”,222,88,86F9,7A84,57,105,-88,17,47,0,0
+QENG: “neighbourcell”,“GSM”,222,88,86F9,7A7B,60,114,-105,0,30,0,0
OK

(I had to put some spaces in between commas in the +QENG reply due to the forums’ formatting)

You use BG95M3LAR02A03_01.011.01.011
I compared with https://www.tekmodul.de/download/quectel/BG95M3LAR02A04_01.001.01.001.zip
My version is the latest for now.
I have been working in the field of GSM/GPRS development since 1995. A valid TA may only be readable in an active connection. After an active connection, the TA of the last connection is received. Did you retrieve the TA in an active connection? It’s the weekend and I can’t ask a colleague to test it. Unfortunately, I don’t have an Eval Kit in my office.

What do you mean by “active connection”?
The modem is connected in roaming (CREG and CGREG both read as 5).
I also tried opening a TCP connection, but nothing has changed:

AT+QIOPEN=1,1,“TCP”,“www.google.com”,80
OK
+QIOPEN: 1,0
AT+QENG=“servingcell”
+QENG: “servingcell”,“NOCONN”,“GSM”,222,88,86F9,7A84,57,105,-95,255,255,0,10,40,1,

Also tried another operator, same story:

AT+QENG=“servingcell”
+QENG: “servingcell”,“NOCONN”,“GSM”,222,10,754A,1FD9,49,45,-92,255,255,0,15,15,1,
AT+QNWINFO
+QNWINFO: “EDGE”,“22210”,“GSM 900”,45

I do have a data connection in place:

AT+QIACT?
+QIACT: 1,1,1,“10.193.48.51”
OK
AT+CGPADDR=1
+CGPADDR: 1,10.193.48.51
OK

It seems AT+QENG always reports “NOCONN”, no matter what I do. How do you make it report an active connection?

If you read the Cell info in an non active connection, then you get the paramaters of the last call. Active means an active call or connection to the base station.