\setchapterpreamble[u]{% \dictum[Stobaeus] {What use is knowledge if there is no understanding?} } \chapter{Introduction to GSM and GPS} \section{Motivation} \section{Goals of the thesis} The goal of the following thesis is to: - implement the Radio Resource Location Protocol inside of OpenBSC, to the extent of delivering correct GPS assistance data to cell phone subscribers inside the GSM network - test the protocol on 5-10 different smart phones - describe and analyze the background processes taking place inside of the cell phone \chapter{Assisted GPS} \section{GPS Principles} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/GPS-Principle.pdf} \caption[]{nanoBTS with its plastic cover. Image courtesy of ip.access ltd} \label{img:gpsprinciple} \end{figure} The GPS satellites\footnote{Satellites are named as space vehicles and the abrevation SV is used in the equation notations to denote a parameter related to the satellite itself.} orbiting our planet, at a distance of approximately 20,200 km, are equiped with precise atomic clocks \citep[Chapter 2.7]{diggelen2009a-gps}. These atomic clocks are calibrated and maintained on a daily basis by the U.S. Air Force, \citep{GPS-Pentagon}. The time the clock generates is called \textit{GPS system time}, denoted as $t_{SV}$, and it is generated as a time stamp at the moment of the frame broadcast \citep{GPS-Interface-Specification}. Each satellite signs the frame with its exact broadcast time. The broadcast time is encapsulated in the subframe 1 of the 1500 bit long frame. In addition to the broadcast time, subframe 1 contains parameters to account for the deterministic clock errors embedded in the broadcasted GPS system time stamp. These errors can be characterized as bias, drift and aging errors \citep{GPS-Interface-Specification}. The correct broadcast time, denoted as $t$, can be estimated using the model equation given in \eqref{eq:timecorrection1} \citep{GPS-Interface-Specification}. In equation \eqref{eq:timecorrection2}, where the GPS receiver is required to calculate the satellite clock offset, denoted as $\Delta t_{SV}$, a number of unknown terms can be seen. These terms are encapsulated in the subframe 1 or they can be estimated using predefined equations. The polynomial coefficients: $a_{f0}$ - \textit{clock offset}, $a_{f1}$ - \textit{fractional frequency offset}, $a_{f2}$ - \textit{ fractional frequency drift}; and $t_{0c}$ - \textit{reference epoch} are encapsulated inside of subframe 1. Finally, the only unknown term left in equation \eqref{eq:timecorrection2} is the \textit{relativistic correction term}, denoted as $\Delta t_{r}$. $\Delta t_{r}$ can be evaluated by applying the equation given in \eqref{eq:timecorrection3}. $F$ is a constant calculated from the given parameters in \eqref{eq:paramconst1} and \eqref{eq:paramconst2}, whereas $e$, $\sqrt{A}$ and $E_{k}$ are \textit{orbit parameters} encapsulated in subframe 2 and 3 \citep{GPS-Interface-Specification}. \begin{equation} \label{eq:timecorrection1} \centering t=t_{SV}-\Delta t_{SV} \end{equation} \begin{alignat}{4} & \Delta t_{SV} &= \;& a_{f0} + a_{f1}(t_{SV}-t_{oc}) + a_{f2}(t_{SV}-t_{oc})^{2} + \Delta t_{r} \label{eq:timecorrection2} \\ & \Delta t_{r} &= \; & Fe\sqrt{A}\sin{E_{k}} \label{eq:timecorrection3} \\ & F &= \;& \frac{-2\sqrt{\mu_{e}}} {c^{2}} = -4.442807633 \cdot 10^{-10} \frac{s}{\sqrt{m}} \label{eq:timecorrection4} \end{alignat} However, the broadcast satellite time information is not sufficient to estimate the precise time at the moment of the signal arival. Even though the signal arives in approximately 77 ms, the precision of the atomic clock is in the range of 10 ns \citep[Chapter 2]{diggelen2009a-gps}. Undoubtedly the signal propagation (travel) time, denoted as $t_{prop}$, has to be taken into account. Then the exact time at the moment of arival, denoted as $t_{exact}$, is given in equation \eqref{eq:exactTime}. The signal propagation time must be known to estimate the distance from the satellite as well as to estimate the position of the GPS receiver. \begin{equation} \label{eq:exactTime} t_{exact} = t_{prop}+t \end{equation} In order to calculate the signal propagation time between the satellite and the receiver, the internal clock wave of the of the receiver crystal needs to be synchronized with the carrier clock wave of the satellite \citep{4560215}. In other words, the identical carrier wave replica has to be generated on the receiver as on the satellite. Due to the nature of wave propagation and various errors the signal arives phase disordered at the receiver \citep{4560215}. The observed phase at the receiver antenna, denoted as $\varphi_{o}$, can be described using the equation given in \eqref{eq:phaseShift}, where $\varphi_{GPS}$ represents the known satellite carrier wave phase, $\delta \varphi_{SV}$ the clock instabilities on the GPS satellite, $\varphi_{a}$ the phase shift error caused by propagation delays in the ionosphere and troposphere respectively and $\delta \varphi_{w}$ is the wideband noise. \begin{equation} \label{eq:phaseShift} \varphi_{o} = \varphi_{GPS}+ \delta\varphi_{SV} + \varphi_{a} + \delta \varphi_{w} \end{equation} The task of the syncrhonization process is to generate a replica carrier wave with the matching phase shift. In the ideal case, the observed phase on the antenna and the generated phase on the receiver, denoted as $\varphi_{r}$, cancel each other out, in other words, equation \eqref{eq:phaseIdealCaset} equals to zero. \begin{equation} \label{eq:phaseIdealCaset} \Delta \varphi = \varphi_{o} - \varphi_{r} \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=1.0]{img/Phase-Diff.pdf} \caption[]{Two equivalent carrier waves with phase shift} \label{img:phaseShift} \end{figure} If this property is not satisfied, it is not possible to demudalte the C/A code from the received signal. More importantly, $t_{exact}$ is used to synchronize various system dependent. \begin{alignat}{4} & A & = & \; (\sqrt{A})^2 \nonumber \\ & n_{0} & = &\; \sqrt{\frac{\mu}{A^3}} \nonumber \\ & t_{k} & = &\; t-t_{oe} \nonumber \\ & n & = &\; n_{0} + \Delta n \nonumber \\ & M_{k} & = &\; M_{0} + nt_{k} \nonumber \\ & M_{k} & = &\; E_{k} - e\sin E_{k} \nonumber \\ & v_{k} & = & \tan ^{-1} \left( \frac{\sin v_{k}}{\cos v_{k}} \right) = \tan ^{-1} \left( \frac{\frac{\sqrt{1-e^2} \sin E_{k}}{1-e \cos E_{k}}}{\frac{\cos E_{k}-e}{1-e\cos E_{k}}} \right) \nonumber \\ & v_{k} & = & \tan ^{-1} \left( \frac{\sin v_{k}}{\cos v_{k}} \right) = \tan ^{-1} \left( \frac{\sqrt{1-e^2} \sin E_{k}/(1-e \cos E_{k})}{(\cos E_{k}-e)/(1-e\cos E_{k})} \right) = \tan ^{-1} \left( \frac{\sqrt{1-e^2} \sin E_{k}}{\cos E_{k} - e} \right) \nonumber \\ & E_{k} & = & \cos ^{-1} \left( \frac{e+\cos v_{k}}{1+e \cos v_{k}} \right) \nonumber \\ & \Phi_{k} & = &\; v_{k} + \omega \nonumber \\ & \delta u_{k} & = &\; c_{us} \sin{2\Phi_{k}} + C_{us} \cos{2\Phi_{k}} \\ & \delta r_{k} & = &\; c_{rc} \cos{2\Phi_{k}} + C_{rs} \sin{2\Phi_{k}} \nonumber \\ & \delta i_{k} & = &\; c_{ic} \cos{2\Phi_{k}} + C_{is} \sin{2\Phi_{k}} \nonumber \\ & u_{k} & = &\; \Phi_{k} + \delta u_{k} \nonumber \\ & r_{k} & = &\; A(1-e\cos{E_{k}})+\delta r_{k} \nonumber \\ & i_{k} & = &\; i_{0} + \delta i_{k} + (IDOT)t_{k} \nonumber \\ & x_{k}^{'} & = &\; r_{k} \cos{u_{k}} \nonumber \\ & y_{k}^{'} & = &\; r_{k} \sin{u_{k}} \nonumber \\ & \Omega_{k} & = &\; \Omega_{0} + (\Omega - \Omega_{e})t_{k} - \Omega_{e}t_{oe} \nonumber \\ & x & = &\; x_{k}^{'} \cos{\Omega_{k}}-y_{k}^{'}\cos{i_{k}}\sin{\Omega_{k}} \nonumber \\ & y & = &\; x_{k}^{'} \sin{\Omega_{k}}-y_{k}^{'}\cos{i_{k}}\cos{\Omega_{k}} \nonumber \\ & z & = &\; y_{k}^{'} \sin{i_{k}} \nonumber \end{alignat} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/GPS-Modulation.pdf} \caption[]{Modulation of the GPS signal L1} \label{img:gpsmod} \end{figure} As seen in \citep{1656803} \begin{equation} \label{eq:GPSSignalOutput} S(t) = \sqrt{\frac{P}{2}}D(t)C(t)cos(2\pi f_{c}+\varphi_{SV}) + n(t) \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/NAV-Message.pdf} \caption[]{One frame of 1500 bits on L1 frequency carrier} \label{img:gpsframe} \end{figure} \chapter{Radio Resource Location Protocol} \chapter {Working} \section{Zitieren..} citep: \citep{kopka1997latex} \\ citet: \citet{kopka1997latex} \chapter{System} Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\todo{Referenz für lorem ipsum} Test test \chapter{Software} Author's test system operated on the ARFCN 877 channel. ARFCN (Absolute Radio Frequency Channel Number) defines the uplink and downlink channel frequency insdide the GSM network \citep{Richard2011Master}. ARFCN 877 corresponds to the uplink frequency of 1,783.2 MHz and a downlink frequency of 1,878.2 MHz, where the uplink direction represents the direction from the nanoBTS to the mobile stations and downlink the opposite direction. The decision to use the ARFCN 877 channel was derived from the fact that the channel was free, measurements were carried out with a spectrum analyzer built on the USRP hardware. \chapter{Hardware} In the following chapter the author will introduce the reader to the hardware components used in the thesis. The hardware components will be presented according to their importance of building an operational and functional GSM network with GPS localization capabilities. Firstly the nanoBTS will be introduced since it is the main hardware component used for building a basic GSM network infrastructure. Then a short insight into the used GPS receiver will be given. Additionally the mobile stations used for testing of the system will be reviewed. Finally, a hardware connection diagram will be given. \section{GSM BTS - nanoBTS} In recent years, there has been an increasing interest in deployment of private cellular networks in remote areas or for research which lead to the devolopment of diverse ``low-cost'' GSM hardware solutions. According to ip.access\footnote{http://www.ipaccess.com}, the manufacturer of nanoBTS, their hardware product is deployed for coverage of ``hard-to-reach places; in-buildings; remote areas; marine and aviation; and public spaces''. A nanoBTS with its plastic cover can be seen in Figure \ref{img:nanoBTSPlastic}. Our University GSM network consists of three nanoBTS stations. The deployed nanoBTS in author's thesis works in the 1800 MHz frequency range, for which the University of Freiburg had obtained a licence from the Federal Network Agency (German: $Bundesnetzagentur$). The transmission frequencies range between 1805-1880 MHz, with 200 KHz channel spacing and maximal output power of +13 dBm ($\approx$20 mW)\todo{Check the output powere 20 dBm}, whereas the receiving frequencies lie in the range between 1710-1785 MHz and same channel spacing as for transmission of 200 KHz \citep{nanoGSM2007brochure}. \todo{Add the Abis over IP protocol} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/nanoBTS.jpg} \caption[]{nanoBTS with its plastic cover. Image courtesy of ip.access ltd} \label{img:nanoBTSPlastic} \end{figure} The nanoBTS is equiped with an internal 0 dBi (nominal) omni-directional antenna. However, two external antennas sized 30x36 mm, one for transmission (TX) and the other one for reception (RX) of radio waves were used to extend the coverage area. These antennas are connected via the SMA connectors. By using an RF amplifier and larger antennas, for these frequency ranges, the covered area with the GSM signal reception can be increased. For the gain estimation and radiation angle of the used antennas the measurement equipment was missing and therefore was not conducted and described in this work.\todo{Check for what NWL is} At the bottom of the nanoBTS there are 5 ports, as seen in Figure \ref{img:nanoBTSPorts}. The ports from left to right are: voltage supply, ethernet cable with power supply, USB port, TIB-IN and TIB-OUT. In the next paragraph a brief overview of each port will be given. \begin{figure}[ht!] \centering \includegraphics[scale=0.15]{img/nanoBTSPorts.jpg} \caption[]{nanoBTS with two external antennas and five connection ports} \label{img:nanoBTSPorts} \end{figure} The left most port is the power supply port used for supplying the nanoBTS with 48 V DC and is optionally used depending on the cable configuration. In author's hardware configuration the power supply port is not used. The following port is for the ethernet connection with 48 V DC power supply. This port is connected to a power supply that is supplied with the nanoBTS. It extends the ethernet connection with 48 V DC for the normal operation mode of the nanoBTS which is in the range between 38-50 V DC. The power consumtion of the nanoBTS is 13 W. More details on how to interconnect the cables will be given in section \ref{sec:hardwareConfig}. In the middle of the five port region, the mini USB port can be found. It is used by the manufacturer to write the firmware software to the nanoBTS. The last two ports are the TIB-IN and TIB-OUT port\footnote{TIB stands for Timing Interface Bus}. These two ports are used if the GSM network operator requires more than 11 channels to increase the overall capacity of the network. ``Up to 4 nanoBTS can be combined into a multiple TRX cell, increasing the number of supported users per TRX by up to 200\%. The TIB-OUT from the Master TRX must be connected to the TIB-IN of the slave TRX. This in turn has its TIB-OUT connected to the next TRX in the chain'' \citep{multipleTRX}. The multiple TRX cell configuration will not be further discussed in this work since the purpose of the work was not to boost the capacity of a GSM network but implementation and testing of the RRLP protocol. To determine the working state of the nanoBTS, an indicator status LED is located on the left side of the five ports region. After the nanoBTS is connected to the power suplly with the ethernet cable, it will change its color and blink speed according to the state it is in. The states can be seen in the Table given in \ref{tbl:LEDStatus} \citep{installnanoBTS}. One of the key limitations of gathering more technical data and the critical aspect of this description lies in the fact, that nanoBTS is not an open source hardware platform and ip.access does not offer more details on their product. The lack of systematic hardware analysis can be seen as a major drawback of working with the nanoBTS hardware. However, the given technical data are sufficient for reproducing and conducting the RRLP tests described in this thesis. \begin{table}[h!t!p!] \begin{center} \caption{Indicator LED status on the nanoBTS} \begin{tabular}{|c||p{3cm}|p{5cm}|c|c|} \hline % \T and \B would not work if it is placed here (needs to go inside cell) State&Color \& Pattern&When&Precedence \\ \hline\hline Self-test failure&Red - Steady&In boot or application code when a power on self-test fails&1 (High) \\ \hline Unspecified failure&Red - Steady &On software fatal errors&2 \\ \hline No ethernet&Orange - Slow flash &Ethernet disconnected&3 \\ \hline Factory reset&Red - Fast blink &Dongle detected at start up and the factory defaults have been applied&4 \\ \hline Not configured&Alternating Red/Green - Fast flash &The unit has not been configured&5 \\ \hline Downloading code&Orange - Fast flash &Code download procedure is in progress&6 \\ \hline Establishing XML&Orange - Slow blink &A management link has not yet been established but is needed for the TRX to become operational. Specifically: for a master a Primary OML or Secondary OML is not yet established; for a slave an IML to its master or a Secondary OML is not yet established.&7 \\ \hline Self-test &Orange - Steady & From power on until end of backhaul powe on self-test&8 \\ \hline NWL-test &Green - Fast flash & OML established, NWL test in progress&9 \\ \hline OCXO Calibration &Alternating Green/Orange - Slow blink & The unit is in the fast calibrating state [SYNC]&10 \\ \hline Not transmitting &Green - Slow flash & The radio carrier is not being transmitted &11 \\ \hline Operational &Green - Steady & Default condition if none of the above apply&12 (Low) \\ \hline \end{tabular} \end{center} \label{tbl:LEDStatus} \end{table} \newpage \section{GPS Receiver - NL-402U} \label{sec:gpsDevice} In the next paragraphs the used GPS device will be described. In contrast to the earlier described hardware, nanoBTS, which the University of Freiburg already owned, the budget for the GPS receiver was limited and the Navilock NL-402U was bought considering only the single criterion, the price. The Navilock NL-402U GPS receiver is based on the u-blox UBX-G5000 single chipset and is a one chip solution \citep{ubxDatasheet}. It can be seen on Figure \ref{img:gpsNavilock} with its passive ceramic patch antenna. 1575,42 MHz is the operating frequency of the receiver which corresponds to the L1 civil frequencies and Coarse/Acquisition (C/A) code. The GPS chipset consists of 50 channels, each channel tracks the transmission from a single satellite \citep{understandGPS}. It is important to note, the number of channels inside a GPS receiver interrelates with the amount of time required to get the first fix. Receiver tracking sensitivity is -160 dBm ($10^{-16}$ mW). The GPS receiver communicates with the computer ovet the USB port. Although the GPS receiver uses an USB interface, on the computer it emulates 2 UART ports, which are serial communication interfaces. \begin{figure}[ht!] \centering \includegraphics[scale=0.12]{img/gpsNavlock.jpg} \caption[]{Navilock NL-402U, opened up with the antenna and USB cable} \label{img:gpsNavilock} \end{figure} \section{Cable configuration} \label{sec:hardwareConfig} In the next section, the author will focus on properly connecting the hardware. At least 4 ethernet cables with RJ45 connectors, on both sides, were required and one switch or hub connected to the internet. One should take notice of the cabling between the nanoBTS and the ethernet switch or hub, since wrong cabling with the power supply unit (PSU) could damage one of the devices. In Figure \ref{img:connectionDiagram}, the junction points are label according to the used configuration setting. The ethernet cables between the switch/hub, PSU and nanoBTS should not be longer than 100 m \citep{installnanoBTS}. \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/hardwareConnection} \caption[]{Cable connections, showing interconnection diagram} \label{img:connectionDiagram} \end{figure} \chapter{Implementation} \chapter{Future work} \chapter{Summary} \chapter*{Dictionary of acronyms} \begin{itemize} \item \emph{ARFCN} - Absolute Radio Frequency Channel Number - The channel number specifies the physical frequency channel used for transmission and reception of radio waves inside of an BTS covered area. \item \emph{BTS} - Base Transceiver Station - \item \emph{DC} - Direct Current \item \emph{GNSS} - Global Navigation Satellite System - A satellite navigation system that allows a specialized receive to determine its location on Earth. \item \emph{LED} - Light Emitting Diode - A diode that emitts light. \item \emph{IP Address} - \todo{Write what an IP address is}. \item \emph{PCB} - Printed Circuit Board - The board where electronic components are soldered onto and wired through conductive tracks. \item \emph{RRLP} - Radio Resource Location Protocol - The employed protocol in GSM, UMTS and other wireless networks for providing and exchange of geolocation information. \item \emph{SMA} - SubMiniature version A - SMA is a connector used for interconnecting coaxial cables or PCB electronics that work in the frequency range between 0-18 GHz. \item \emph{TIB} - Time Interface Bus - The TIB is used to provide the synchronization of the clock, frequency and frame number between the nanoBTS when operating in a single 2-4 BTS configuration. \item \emph{TRX} - \item \emph{UART} - Universal Asynchronous Receiver Transmitter - A serial communication interface used by computers or other peripheral devices to communicate. \item \emph{UMTS} - Universal Mobile Telecommunications System - Third generation mobile network based on the GSM standards. \end{itemize}