\setchapterpreamble[u]{% \dictum[Stobaeus] {What use is knowledge if there is no understanding?} } \chapter{Introduction to GSM and GPS} \section{Motivation} \section{Goals of the thesis} The goal of the following thesis is to: - implement the Radio Resource Location Protocol inside of OpenBSC, to the extent of delivering correct GPS assistance data to cell phone subscribers inside the GSM network - test the protocol on 5-10 different smart phones - describe and analyse the background processes taking place inside of the cell phone \chapter{Assisted GPS} \section{GPS Principles} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/GPS-Principle.pdf} \caption[]{nanoBTS with its plastic cover. Image courtesy of ip.access ltd} \label{img:gpsprinciple} \end{figure} \section{GPS signal modulation} The transmitted signal after the RF frontend is given in equation \eqref{eq:GPSSignalReceived} \citep{1656803}. \begin{equation} \label{eq:GPSSignalReceived} S(t) = \sqrt{\frac{P}{2}}D(t)C(t)cos(2\pi f_{c}+\varphi_{SV}) + n(t) \end{equation} The received signal after the RF frontend is given in equation \eqref{eq:GPSSignalReceived} \citep{1656803}. \begin{equation} \label{eq:GPSSignalReceived} S(t) = \sqrt{\frac{P}{2}}d_{C/A}cos(2\pi f_{c}+\varphi_{SV}) + n(t) \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/GPS-Modulation.pdf} \caption[]{Modulation of the GPS signal L1} \label{img:gpsmod} \end{figure} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/NAV-Message.pdf} \caption[]{One frame of 1500 bits on L1 frequency carrier} \label{img:gpsframe} \end{figure} \section{GPS signal demodulation} The GPS satellites\footnote{Satellites are named as space vehicles and the abrevation SV is used in the equation notations to denote a parameter related to the satellite itself.} orbiting our planet, at a distance of approximately $20200 \, km$, are equiped with precise atomic clocks \citep[Chapter 2.7]{diggelen2009a-gps}. These atomic clocks are calibrated and maintained on a daily basis by the U.S. Air Force \citep{GPS-Pentagon}. The time the atomic clock generates is refered as \textit{GPS system time}, denoted as $t_{SV}$, and it is generated as a time stamp at the moment of the frame broadcast \citep{GPS-Interface-Specification}. Each satellite signs the frame with its exact broadcast time. The broadcast time is encapsulated in the subframe 1 of the 1500 bit long frame. In addition to the broadcast time, subframe 1 contains parameters to account for the deterministic clock errors embedded in the broadcasted GPS system time stamp. These errors can be characterized as bias, drift and aging errors \citep{GPS-Interface-Specification}. The correct broadcast time, denoted as $t$, can be estimated using the model given in equation \eqref{eq:timecorrection1} \citep{GPS-Interface-Specification}. In equation \eqref{eq:timecorrection2}, where the GPS receiver is required to calculate the satellite clock offset, denoted as $\Delta t_{SV}$, a number of unknown terms can be seen. These terms are encapsulated inside of the transmitted frames. The polynomial coefficients: $a_{f0}$ - \textit{clock offset}, $a_{f1}$ - \textit{fractional frequency offset}, $a_{f2}$ - \textit{ fractional frequency drift}; and $t_{0c}$ - \textit{reference epoch} are encapsulated inside of subframe 1. The only remaining unknown term left in equation \eqref{eq:timecorrection2} is the \textit{relativistic correction term}, denoted as $\Delta t_{r}$. $\Delta t_{r}$ can be evaluated by applying the equation given in \eqref{eq:timecorrection3}. $F$ is a constant calculated from the given parameters in \eqref{eq:paramconst1} and \eqref{eq:paramconst2}, whereas $e$, $\sqrt{A}$ and $E_{k}$ are \textit{orbit parameters} encapsulated in subframe 2 and 3 \citep{GPS-Interface-Specification}. \begin{equation} \label{eq:timecorrection1} \centering t=t_{SV}-\Delta t_{SV} \end{equation} \begin{alignat}{4} & \Delta t_{SV} &= \;& a_{f0} + a_{f1}(t_{SV}-t_{oc}) + a_{f2}(t_{SV}-t_{oc})^{2} + \Delta t_{r} \label{eq:timecorrection2} \\ & \Delta t_{r} &= \; & Fe\sqrt{A}\sin{E_{k}} \label{eq:timecorrection3} \\ & F &= \;& \frac{-2\sqrt{\mu_{e}}} {c^{2}} = -4.442807633 \cdot 10^{-10} \frac{s}{\sqrt{m}} \label{eq:timecorrection4} \end{alignat} Nevertheless, the broadcast satellite time information is not sufficient to estimate the precise time at the moment of the signal arival. Even though the signal arrives in approximately\footnote{Propagation time depends on user and GPS satellite position.} $77 \, ms$, the precision of the atomic clock is in the range of 10 ns \citep[Chapter 2]{diggelen2009a-gps}. Undoubtedly the signal propagation (travel) time, denoted as $t_{prop}$, has to be taken into account. In that case, the exact time at the moment of arival is known, denoted as $t_{exact}$ and is given in equation \eqref{eq:exactTime}. The signal propagation time must be known to estimate the distance from the satellite but is not sufficient to estimate the position of the GPS receiver. More importantly, $t_{exact}$ time will be later used to synchronize various time dependent systems like the GSM, LTE, GNSS or other communication and ranging systems. \begin{equation} \label{eq:exactTime} t_{exact} = t_{prop}+t \end{equation} \subsection{Carrier wave demodulation} \label{sec:Carrierdemod} In order to calculate the signal propagation time between the satellite and the receiver, the internal sine wave synthesizer inside of the receiver has to be synchronized with the carrier sine wave generator of the GPS satellite \citep{4560215}. In other words, the identical carrier wave replica has to be generated on the receiver as on the satellite \citep{736341}. However, the received signal is not the equivalent of the transmitted signal. Due to the nature of the Doppler effect\footnote{Doppler effect is a phenomenon that happens as a result of relative motion of the two bodies, transmitter and receiver, towards or away from each other and causes frequency shift of the electromagnetic wave \citep[Chapter 4]{3540727140}.} and wave propagation, the transmitted signal arrives phase disordered at the receiver \citep{4560215}. This phase disorder is a consequence of the relationship between the instantaneous frequency and instantaneous phase according to equations \eqref{eq:freqPhase} and \eqref{eq:phaseFreq}. \begin{equation} \label{eq:freqPhase} f(t)=\frac{1}{2\pi}\frac{d}{dt}\phi(t) \end{equation} \begin{equation} \label{eq:phaseFreq} \phi(t) = 2\pi \int_{-\infty}^{t} f(\tau) d\tau \end{equation} Considering that the GPS satellites orbit the Earth with a speed of around $3.9 \, km/s$, the Earth rotates around its axis and the target user with the GPS receiver may move as well, the Doppler effect is unavoidable. The observed phase at the receiver antenna, denoted as $\varphi_{o}$, can be described using the equation given in \eqref{eq:phaseShift}, where $\varphi_{GPS}$ represents the known satellite carrier wave phase, $\delta \varphi_{SV}$ the clock instabilities on the GPS satellite, $\varphi_{a}$ the phase shift error caused by propagation delays in the ionosphere and troposphere respectively, $\delta \varphi_{DE}$ the phase shift caused by the Doppler effect and $\delta \varphi_{w}$ is the wideband noise phase shift. \begin{equation} \label{eq:phaseShift} \varphi_{o} = \varphi_{GPS}+ \delta\varphi_{SV} + \varphi_{a} +\delta \varphi_{DE} + \delta \varphi_{w} \end{equation} The task of the demodulation process is to generate a replica carrier wave with the matching phase shift and mix it with the incoming signal. In the ideal case the observed phase on the antenna and the generated phase on the receiver, denoted as $\varphi_{rec}$, cancel each other out, that is to say, equation \eqref{eq:phaseIdealCase} equals zero. The circuit responsible for generating the same carrier wave is the phase locked loop (PLL). The PLL modifies the synthesized wave parameters such that, $\lim \Delta \varphi \approx 0$. \begin{equation} \label{eq:phaseIdealCase} \Delta \varphi = \varphi_{o} - \varphi_{rec} \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/Phase-Diff.pdf} \caption[]{Two equivalent carrier waves with the same frequency but different phase shift} \label{img:phaseShift} \end{figure} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/L1-Demodulation.pdf} \caption[]{Demodulation of the L1 GPS signal} \label{img:L1Demod} \end{figure} This is straightforward to understand by looking at the multiplication of two sine waves. The GPS L1 signal demodulator at the receiver is depicted in figure \ref{img:L1Demod}, the incoming signal L1 is multiplied with the synthesized sine wave (multiplication is the function of a mixer, denoted as $\otimes$ in figure \ref{img:L1Demod}). For the purpose of easier analysis, cosine waves will be used istead of sine waves, the difference between them is only in the phase shift, as denoted in equation \eqref{eq:sineEqCosine}. \begin{equation} \label{eq:sineEqCosine} \sin(\pm x) = \cos\bigg(\frac{\pi}{2} \pm x\bigg) \end{equation} Multiplication of two cosine waves, as in equation \eqref{eq:multCosin}, can be derived by adding $\cos(A+B)$ and $\cos(A-B)$, as respectively given in equations \eqref{eq:cos1} and \eqref{eq:cos2}. \begin{equation} \label{eq:multCosin} \cos(A)\cdot\cos(B) = \frac{1}{2}\cos(A-B)+\frac{1}{2}\cos(A+B) \end{equation} \begin{equation} \label{eq:cos1} \cos(A+B) = \cos(A)\cos(B)-\sin(A)\sin(B) \end{equation} \begin{equation} \label{eq:cos2} \cos(A-B) = \cos(A)\cos(B)+\sin(A)\sin(B) \end{equation} The incoming GPS L1 signal with a frequency $f_{1}$, given in figure \ref{img:L1Demod}, can be written as $d_{C/A}\cos(\omega_{1}t)$, where $\omega_{1}=2\pi f_{1}$ is the angle frequency and $d_{C/A}$ is the C/A data (navigation message modulated with the PRN code), $d_{C/A}=d_{PRN}\oplus d_{NAV}$. If equation \eqref{eq:multCosin} is rewritten with the received GPS signal L1 and synthesized wave with a frequency $f_{2}$, the equation results the one given in \eqref{eq:cosResult} \begin{equation} \label{eq:cosResult} d_{C/A}\cdot\cos(\omega_{1}t)\cos(\omega_{2}t) = \frac{1}{2}d_{C/A}\cdot\cos(\omega_{1}t-\omega_{2}t) + \frac{1}{2}d_{C/A}\cos(\omega_{1}t+\omega_{2}t) \end{equation} This leaves the resulting signal with two frequency terms, a low frequency term $(\omega_{1}t-\omega_{2}t)$ and a high frequency term $(\omega_{1}t+\omega_{2}t)$, the $t$ can be taken in front of the bracket as it is a common multiplier. The high frequency term, $(\omega_{1}+\omega_{2})$, can be filtered out using a low-pass filter\footnote{A low-pass filter passes low frequency signals and attenuates high frequency signals. In other words, signals higher than the specified cutoff frequency of the low-pass filter, are cut off by reducing their amplitudes.}. Ideally, the difference of the angle frequencies is zero, as in equation \eqref{eq:delaOmega}, since $\cos(\Delta \omega)=\cos(0)=1$ and the remaining left signal is only the C/A code multiplied with the DC term (zero frequency producing a constant voltage) leaving only $\frac{1}{2}d_{C/A}$. \begin{equation} \label{eq:delaOmega} \Delta \omega = \omega_{1}-\omega_{2} = 0 \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/PRN-PhaseShiftAfterDemod.pdf} \caption[]{Effects of the low frequency term on the demodulated output C/A wave on the GPS receiver (the explanations and figures are from top to bottom). If the synthesized frequency is correct, $f_{1}=f_{2}$, the low frequency term becomes a DC term and does not modify the output $d_{C/A}$ wave (first figure). If the frequency matches but the phase not, in this case the phase is shifted for $\pi$, then $d_{C/A}$ is inverted (second figure). If the phase shifts with time, then the amplitude and phase of $d_{C/A}$ will vary as well (third figure).} \label{img:multCAPhase} \end{figure} However, if the frequencies do not match, $f_{1}\neq f_{2}$, then the output signal $\frac{1}{2}d_{C/A}$ will be modified by the residual frequency $f_{1}-f_{2}$, and subsequently will change the demodulated C/A output (also known as phase shift). Under those circumstances the correlator will be unable to match the C/A code with the correct PRN code. An illustration of this phenomenon is depicted in figure \ref{img:multCAPhase}. \subsection{C/A wave demodulation} \label{sec:CAdemod} As a result of the previous step, one can continue with the demodulation of the C/A wave. Each tracked GPS satellite signal is demodulated seperately using the same PRN code, code chipping rate and carrier frequency-phase (which was determined above) for the given satellite \citep[Chapter 4]{understandGPS}. The PRN codes for each GPS satellite is well defined and known by the GPS receiver. The receiver has to generate the same PRN code with matching code chipping rate (phase) of the transmitted C/A code, this is depicted in figure \ref{img:prnCodeCompare} \citep[Chapter 5]{understandGPS}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/PRN-ChipRate.pdf} \caption[]{Comparison between the original C/A code generated on the GPS satellite with two synthesized PRN codes with a different phase shift on the receiver.} \label{img:prnCodeCompare} \end{figure} For the particular example, the matching phase shift was achieved with the second replica PRN code, with a phase shift of $\tau=0$ but there could be a case with any other value of $\tau$, $\tau\in[0,1023]$. Implementation of the PRN code synthesizer depends on the GPS receiver manufacturer but it is usually implemented as a linear feedback shift registers (LFSR) that produces an output according to a predefined function $f(\tau)$. This function, $f(\tau)$, generates an PRN code, that is delayed in phase by $\tau$, where $\tau$ is a multiple of the chipping rate period $T_{c}=977.5 \,ns$. The chipping period $T_{c}$ can be derived from equation \eqref{eq:chipPeriod}. The time required to find a matching PRN code shift, $\tau$, is proportional to the amount of LFSR on the system \citep[Chapter 3]{bensky2008wireless}. Clearly with more LFSRs the required time for finding the matching phase shift increases. \begin{equation} \label{eq:chipPeriod} T_{c} = \frac{1}{f_{PRN}} = \frac{1}{1.023\cdot 10^6} \end{equation} To determine whether the synthesized PRN code, matches the incoming C/A code of the received satellite signal, known correlation properties of PRN codes are used. Since the PRN code is modeled as a sequence of +1's and -1's, the autocorrelation of a signal is at its maximum if it is in phase, i.e. summing up the sequence products yields the absolute maximum value. As an illustration of the idea, an example is given in figure \ref{img:correlatingSignals}. The cross-correlation of the incoming C/A code with the first synthesized PRN code produces a result of $-3=(+1)\cdot(-1)+(-1)\cdot(+1)+(+1)\cdot(-1)+(+1)\cdot(+1)+(-1)\cdot(+1)$, whereas the cross-correlation of the incoming C/A code and the second synthesized PRN code yields a result of $+5=(+1)\cdot(+1)+(-1)\cdot(-1)+(+1)\cdot(+1)+(+1)\cdot(+1)+(-1)\cdot(-1)$. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/Correlation.pdf} \caption[]{Cross-correlation on three different signals} \label{img:correlatingSignals} \end{figure} The same principle applies to the sent C/A and PRN code sequences in the GPS receiver and thus can be modeled using the equation given in \eqref{eq:autocorrelationProperty}, where $G_{i}(t)$ is the C/A code Gold code sequence as a function of time $t$, for the GPS satellite $i$; $T_{C/A}$ is the C/A chipping period of $977.5 \,ns$ and $\tau$ is the phase shift in the auto-correlation function \citep[Chapter 4]{understandGPS}. \begin{equation} \label{eq:autocorrelationProperty} R_{i}(t) = \frac{1}{1023\cdot T_{C/A}} \int_{t=0}^{1023} G_{i}(t)G_{i}(t+\tau)d\tau \end{equation} Another correlation property of the PRN codes comes in useful, the fact that in the ideal case the cross-correlation of two different PRN codes yields a result of zero. The ideal case can be modeled as in equation \eqref{eq:prnIdealCaseZero}, \begin{equation} \label{eq:prnIdealCaseZero} R_{ij}(\tau) = \int_{-\infty}^{+\infty} PRN_{i}(t)PRN_{j}(t+\tau)d\tau = 0 \end{equation} where $PRN_{i}$ is the PRN code waveform for GPS satellite $i$ and $PRN_{j}$ is the PRN code waveform for every other GPS satellite other than $i$, $i\neq j$ \citep[Chapter 4]{understandGPS}. Equation \eqref{eq:prnIdealCaseZero} ``states that the PRN waveform of satellite $i$ does not correlate with PRN waveform of any other satellite $j$ for any phase shift $\tau$'' \citep[Chapter 4]{understandGPS}. Without the property given in \eqref{eq:prnIdealCaseZero}, the GPS receiver would not be able to smoothly differentiate between different GPS satellite signals. Once the phase shift, $\tau$, has been found, the C/A code is modulated (XORed) with it. The resulting binary code will be the navigation message. The implementation problem of finding correct C/A and carrier wave demodulation will be further explained in the following section \ref{sec:2dSearch}. \subsection{Implementation of the 2D search space problem} \label{sec:2dSearch} In the following paragraphs an introduction will be given on the implementation problems of the previously mentioned concepts. As it can be seen, from subsections \ref{sec:CAdemod} and \ref{sec:Carrierdemod}, decoding the GPS navigation message is a 2D search space problem for each GPS satellite signal acquisition. The 2D search space is limited by well known physical properties of the GNSS system such as the motion speed of GPS satellites and the receiver as well as the frequency oscillator on the receiver. GPS satellites move toward or away from the GPS receiver with a speed of $800 \, \mathrm{m/s}$ \citep[Chapter 3]{diggelen2009a-gps}. The Doppler effect on the frequency of the satellite can be estimated using equation \eqref{eq:dopplerEffectSpeed}, where $f_{e}$ is the emitting frequency (L1), $v_{SV}$ is the speed of the satellite towards (away from) the receiver and $c$ is the speed of light. \begin{equation} \label{eq:dopplerEffectSpeed} f_{DE} = f_{e}\frac{v_{SV}}{c} \end{equation} Inserting the appropriate values in equation \eqref{eq:dopplerEffectSpeed} yields a result of $\approx4.2 \, \mathrm{kHz}$, for $800 \, \mathrm{m/s}$ and $\approx-4.2 \, \mathrm{kHz}$ (if the satellite moves away from the GPS receiver then the speed is taken as negative). This makes a range of $\approx8.4 \mathrm{kHz}$. The Doppler effect of the GPS receiver motion can be ignored since for each $1 \, \mathrm{km/h}$ of movement, it affects the frequency range for $\approx 1.46 \mathrm{Hz}$. On the other hand, the frequency offset induced by the reference oscillator in the GPS receiver can not be ignored. The frequency search space is ``additionaly affected for $1.575 \, \mathrm{kHz}$ of unknown frequency offset for each $1 \, \mathrm{ppm}$ (\textit{parts per million}) of the unknown receiver oscillator offset'' \citep[Chapter 3]{diggelen2009a-gps}. The reference oscillators in GPS receivers have typically an offset of $\pm0.5, \pm1, \pm2, \pm3, \mathrm{or} \pm5 \,\mathrm{ppm}$ \citep{daishinku}, \citep[Chapter 3]{diggelen2009a-gps}, the standard in smart phone design has been set to $\pm 2.5 \, \mathrm{ppm}$ \citep{oscillatorGPSSmarthPhone}. In the worst case this makes the unknown frequency to be in range of $10 \, \mathrm{kHz}-25 \, \mathrm{kHz}$. \begin{figure}[ht!] \centering \includegraphics[scale=0.70]{img/2D-SearchSpaceInk.pdf} \caption[]{Segment of the frequency/code delay search space for a single GPS satellite} \label{img:prnSearchSpace3d} \end{figure} A typical receiver searches in frequency bands, bins of several hundred Hz regions \citep{1656803}. Commonly used frequency bin size is $500 \, \mathrm{Hz}$, therefore there are about 20-50 bins to search \citep[Chapter 3]{diggelen2009a-gps}. The frequency search bin (band) size is a function of the desired peak magnitude loss (signal to noise ration) due to the frequency mismatch and integration time period. Larger frequency bands mean a smaller number of bins to search but a greater correlation peak magnitude loss. The frequency search bin size can be estimated using the frequency mimsmatch loss sinc function given in equation \eqref{eq:mistunigLoss} \citep{implSoftGPSRec}, \citep[Chapter 6]{diggelen2009a-gps}, where $\Delta f$ is the frequency mismatch in $\mathrm{Hz}$, in other words it represents the difference between the received signal frequency and the synthesized carrier frequency on the receiver; and $T_{c}$ is the coherent integration time (usually $0.5\, ms$ according to \citep{implSoftGPSRec} and \citep[Chapter 3]{diggelen2009a-gps} but depends on the implementation). \begin{equation} \label{eq:mistunigLoss} D_{F} = \left\vert \frac{\sin(\pi \Delta fT_{c})}{\pi \Delta fT_{c}} \right\vert \end{equation} The frequency mimsmatch loss sinc function, $D_{F}$, is evaluated in dB, therefore for a loss of $\approx 0.98 \,\mathrm{dB}$, the frequency mismatch ought to be $\Delta f = 250\, \mathrm{Hz}$, due to the fact that the maximum loss will occur when the frequency is differing by 1/2 of the bin spacing. That is to say, for a bin space of 500 Hz, it is 250 Hz. ``The total range of possible GPS code delays is $1\, ms$. This is because the GPS C/A PRN code is $1 \,ms$ long, and then it repeats. The PRN code chipping rate is $1.023 \,\mathrm{MHz}$, and there are 1023 chips in the complete $1\, ms$ epoch'' \citep[Chapter 3]{diggelen2009a-gps}. %Size of the frequency %bin is inversely proportional to the ratio between the amplitude of the detected %peak and other non-peak values, %the smaller the bins are the higher the peak will be. For the purpose of better understanding, a segment of the frequency/code delay search space is shown in figure \ref{img:prnSearchSpace3d}. The peak implies the correct frequency and code delay have been found. In figure \ref{img:prnSearchSpace3d} smaller frequency bins have been used so that the concept becomes understandable to the reader. The speed of searching the 2D search space (finding the peak) depends on the complexity and strategy of the implemented algorithm \citep[Chapter 6]{9780817643904}. In the worst case, there are in total 102300 conbinations in the search space, this can be derived from equation \eqref{eq:totalSearch}, visually shown in figure \ref{img:SearchSpace2d}. \begin{equation} \label{eq:totalSearch} \mathrm{Search \, Space} = 50 \,\mathrm{(bins)} \cdot 1023\, \mathrm{(C/A \,codes)} \cdot 2\, \mathrm{(Phases\, per\, C/A\, chip)} \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/2DSearchSpace.pdf} \caption[]{The total search space} \label{img:SearchSpace2d} \end{figure} The common strategy is to start searching from the middle frequency bins and to jump up and down until the entire search space has been exhausted (first 500 Hz, second -500 Hz, then in the 1000 Hz bin and then in the -1000 Hz bin) \citep[Chapter 3]{diggelen2009a-gps}. This procedure is performed when no extra information are known by the receiver, i.e. first time the GPS receiver is turned on. It is known under the name of cold start. There are three different working mechanisms when it comes to searching for the GPS satellites. If no information are known, when some information are known and when almost all information are known. These three modes are known as cold (as mentioned earlier), warm and hot start. They differ from each other by the amount of known information by the GPS receiver. Cold start indicates the GPS receiver has no almanac\footnote{Almanac information are rough estimation parameters for predicting the orbital position of the GPS satellites.}, ephemeris\footnote{Ephemeris information are precise parameters for predicting the orbital position of the GPS satellite.}, oscillator offset and time data. In order to track the satellites faster next time the GPS receiver is started, it stores the previously mentioned data (last known almanac, ephemeris, oscillator offset, time and position data) in its electrically erasable programmable read only memory (EEPROM). This type of start is known as a warm start, provided that the data in the receivers' EEPROM are not older than 180 days and its real time clock counter was constantly updated. In this case, the receiver uses the previously saved information to estimate the position of the satellites, therefore the Doppler effects can be estimated. As a consequence of the known Doppler effect, the frequency bin where to start the search first is known as well \citep[Chapter 3]{diggelen2009a-gps}. In the same way works the hot start, only the time is precisely known in accuracy of submilliseconds. \section{Distance and position estimation} This section will focus on examining the distance and position estimation inside of the GPS system. GPS system, as mentioned earlier, takes advantage of the time of arrival (TOA) ranging concept to determine user position. Time is measured how long it takes for a signal to arrive from a known location. Satellite locations can be estimated using the ephemeris data and the exact time. \section{Assisted GPS in Wireless networks} \label{sec:agps} In the following paragraphs Assisted GPS (A-GPS) will be presented and how it works. A-GPS receivers work on a ``similar principle'' as warm/hot start on GPS receivers. Instead of loading the recently saved data from the EEPROM, an external transfer medium is used to deliver the same type of information that are known at a warm/hot start \citep{755159}, \citep{901174}, \citep{springerlink:10.1007/s10291-002-0028-0}. In this work, the external transfer medium is air and the information are transfered using electromagnetic waves. The existing GSM interface was utilised for the purpose of delivering the data to the smart phone with an A-GPS receiver. The basic scenario can be seen in figure \ref{img:agpsPrinciple}. The BTS station is connected to the global navigation satellite system (GNSS) server, which is directly connected to the GPS reference station. The GPS reference station delivers the GNSS server exact time stamps, approximate location, satellite clock corrections, ephemeris and navigation data \citep{springerlink:10.1007/s10291-002-0028-0}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/A-GPS.pdf} \caption[]{Basic A-GPS principle} \label{img:agpsPrinciple} \end{figure} Time stamp is not used in GSM networks since it can be off by several seconds and would require additional equipment for synchronizing the network \citep{springerlink:10.1007/s10291-002-0028-0}, \citep{901174}. However in CDMA networks the time stamp is accurate to within $100 \, \mu s$ \citep{springerlink:10.1007/s10291-002-0028-0}. Approximate location is typically taken to be the location of the BTS from which the target A-GPS receiver acquires the assistance data. Ephemeris and navigation data obtained by the A-GPS receiver help it to estimate the positions of the satellites and they can greatly enhance the sensitivity of the receiver especially in urban environments \citep{springerlink:10.1007/s10291-002-0028-0}. Conventional GPS receivers require at least up to extra $18$ to $30\,s$ to receive and decode the navigation data and to generate a location fix \citep{springerlink:10.1007/s10291-002-0028-0}. The bit error rate associated with gathering and decoding data dramatically decreases since the acquired signals can be attenuated by $10$ to $20\, \mathrm{dB}$ indoors \citep{springerlink:10.1007/s10291-002-0028-0} of the nominal $-130 \,\mathrm{dB}$ on a $3\, dBi$ ``linearly polarized user receiving antenna\footnote{3 dBi antenna indicates an antenna with a gain of $3\, \mathrm{dB}$ with respect to an isotropic (omnidirectional) antenna \citep[Chapter 2]{diggelen2009a-gps}.} (located near ground) at worst normal orientation'' \citep{GPS-Interface-Specification}. A simplified A-GPS algorithm given in \citep{springerlink:10.1007/s10291-002-0028-0} will be presented here. This algorithm benefits in speed the more assistance data is present. As the first satellites are tracked, the A-GPS algorithm has an estimation of the feasible region where the target A-GPS user might be located. Consequently, this feasible region will shrink until the location has been fully estimated \citep{springerlink:10.1007/s10291-002-0028-0}. \begin{enumerate}[(i)] \item Visible satellites and their positions are identified and computed out of the delivered ephemeris and time data. \item For each visible satellite $SV_i$, the code phase, $\tau_i$, is estimated. \item Pseudoranges are calculated for each visible satellite $SV_i$. \item Triangulate the position out of the pseudoranges $\rho_i$. \end{enumerate} Although the A-GPS algorithms can be seen as a set of equations, with more unknowns terms known it is straightforward to solve the set of equations. However, with more of the unknown terms it takes more time to get (decode) them from the satellite messages. One should know various A-GPS algorithms exist, some do not require the exact time component and navigation data to be present in the assistance data \citep{998892}. \section{Error estimation} \chapter{Radio Resource Location Protocol} \chapter {Working} \section{Zitieren..} citep: \citep{multipleTRX} \\ citet: \citet{multipleTRX} \chapter{System} Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet.\todo{Referenz für lorem ipsum} Test test \chapter{Software} Author's test system operated on the ARFCN 877 channel. ARFCN (Absolute Radio Frequency Channel Number) defines the uplink and downlink channel frequency insdide the GSM network \citep{Richard2011Master}. ARFCN 877 corresponds to the uplink frequency of 1,783.2 MHz and a downlink frequency of 1,878.2 MHz, where the uplink direction represents the direction from the nanoBTS to the mobile stations and downlink the opposite direction. The decision to use the ARFCN 877 channel was derived from the fact that the channel was free, measurements were carried out with a spectrum analyser built on the USRP hardware. \chapter{Hardware} In the following chapter the author will introduce the reader to the hardware components used in the thesis. The hardware components will be presented according to their importance of building an operational and functional GSM network with GPS localization capabilities. Firstly the nanoBTS will be introduced since it is the main hardware component used for building a basic GSM network infrastructure. Then a short insight into the used GPS receiver will be given. Additionally the mobile stations used for testing of the system will be reviewed. Finally, a hardware connection diagram will be given. \section{GSM BTS - nanoBTS} In recent years, there has been an increasing interest in deployment of private cellular networks in remote areas or for research which lead to the devolopment of diverse ``low-cost'' GSM hardware solutions. According to ip.access\footnote{http://www.ipaccess.com}, the manufacturer of nanoBTS, their hardware product is deployed for coverage of ``hard-to-reach places; in-buildings; remote areas; marine and aviation; and public spaces''. A nanoBTS with its plastic cover can be seen in Figure \ref{img:nanoBTSPlastic}. Our University GSM network consists of three nanoBTS stations. The deployed nanoBTS in author's thesis works in the 1800 MHz frequency range, for which the University of Freiburg had obtained a licence from the Federal Network Agency (German: $Bundesnetzagentur$). The transmission frequencies range between 1805-1880 MHz, with 200 kHz channel spacing and maximal output power of +13 dBm ($\approx$20 mW)\todo{Check the output powere 20 dBm}, whereas the receiving frequencies lie in the range between 1710-1785 MHz and same channel spacing as for transmission of 200 kHz \citep{nanoGSM2007brochure}. \todo{Add the Abis over IP protocol} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/nanoBTS.jpg} \caption[]{nanoBTS with its plastic cover. Image courtesy of ip.access ltd} \label{img:nanoBTSPlastic} \end{figure} The nanoBTS is equiped with an internal 0 dBi (nominal) omni-directional antenna. However, two external antennas sized 30x36 mm, one for transmission (TX) and the other one for reception (RX) of radio waves were used to extend the coverage area. These antennas are connected via the SMA connectors. By using an RF amplifier and larger antennas, for these frequency ranges, the covered area with the GSM signal reception can be increased. For the gain estimation and radiation angle of the used antennas the measurement equipment was missing and therefore was not conducted and described in this work.\todo{Check for what NWL is} At the bottom of the nanoBTS there are 5 ports, as seen in Figure \ref{img:nanoBTSPorts}. The ports from left to right are: voltage supply, ethernet cable with power supply, USB port, TIB-IN and TIB-OUT. In the next paragraph a brief overview of each port will be given. \begin{figure}[ht!] \centering \includegraphics[scale=0.15]{img/nanoBTSPorts.jpg} \caption[]{nanoBTS with two external antennas and five connection ports} \label{img:nanoBTSPorts} \end{figure} The left most port is the power supply port used for supplying the nanoBTS with 48 V DC and is optionally used depending on the cable configuration. In author's hardware configuration the power supply port is not used. The following port is for the ethernet connection with 48 V DC power supply. This port is connected to a power supply that is supplied with the nanoBTS. It extends the ethernet connection with 48 V DC for the normal operation mode of the nanoBTS which is in the range between 38-50 V DC. The power consumtion of the nanoBTS is 13 W. More details on how to interconnect the cables will be given in section \ref{sec:hardwareConfig}. In the middle of the five port region, the mini USB port can be found. It is used by the manufacturer to write the firmware software to the nanoBTS. The last two ports are the TIB-IN and TIB-OUT port\footnote{TIB stands for Timing Interface Bus}. These two ports are used if the GSM network operator requires more than 11 channels to increase the overall capacity of the network. ``Up to 4 nanoBTS can be combined into a multiple TRX cell, increasing the number of supported users per TRX by up to 200\%. The TIB-OUT from the Master TRX must be connected to the TIB-IN of the slave TRX. This in turn has its TIB-OUT connected to the next TRX in the chain'' \citep{multipleTRX}. The multiple TRX cell configuration will not be further discussed in this work since the purpose of the work was not to boost the capacity of a GSM network but implementation and testing of the RRLP protocol. To determine the working state of the nanoBTS, an indicator status LED is located on the left side of the five ports region. After the nanoBTS is connected to the power suplly with the ethernet cable, it will change its color and blink speed according to the state it is in. The states can be seen in the Table given in \ref{tbl:LEDStatus} \citep{installnanoBTS}. One of the key limitations of gathering more technical data and the critical aspect of this description lies in the fact, that nanoBTS is not an open source hardware platform and ip.access does not offer more details on their product. The lack of systematic hardware analysis can be seen as a major drawback of working with the nanoBTS hardware. However, the given technical data are sufficient for reproducing and conducting the RRLP tests described in this thesis. \begin{table}[h!t!p!] \begin{center} \caption{Indicator LED status on the nanoBTS} \begin{tabular}{|c||p{3cm}|p{5cm}|c|c|} \hline % \T and \B would not work if it is placed here (needs to go inside cell) State&Color \& Pattern&When&Precedence \\ \hline\hline Self-test failure&Red - Steady&In boot or application code when a power on self-test fails&1 (High) \\ \hline Unspecified failure&Red - Steady &On software fatal errors&2 \\ \hline No ethernet&Orange - Slow flash &Ethernet disconnected&3 \\ \hline Factory reset&Red - Fast blink &Dongle detected at start up and the factory defaults have been applied&4 \\ \hline Not configured&Alternating Red/Green - Fast flash &The unit has not been configured&5 \\ \hline Downloading code&Orange - Fast flash &Code download procedure is in progress&6 \\ \hline Establishing XML&Orange - Slow blink &A management link has not yet been established but is needed for the TRX to become operational. Specifically: for a master a Primary OML or Secondary OML is not yet established; for a slave an IML to its master or a Secondary OML is not yet established.&7 \\ \hline Self-test &Orange - Steady & From power on until end of backhaul powe on self-test&8 \\ \hline NWL-test &Green - Fast flash & OML established, NWL test in progress&9 \\ \hline OCXO Calibration &Alternating Green/Orange - Slow blink & The unit is in the fast calibrating state [SYNC]&10 \\ \hline Not transmitting &Green - Slow flash & The radio carrier is not being transmitted &11 \\ \hline Operational &Green - Steady & Default condition if none of the above apply&12 (Low) \\ \hline \end{tabular} \end{center} \label{tbl:LEDStatus} \end{table} \newpage \section{GPS Receiver - NL-402U} \label{sec:gpsDevice} In the next paragraphs the used GPS device will be described. In contrast to the earlier described hardware, nanoBTS, which the University of Freiburg already owned, the budget for the GPS receiver was limited and the Navilock NL-402U was bought considering only the single criterion, the price. The Navilock NL-402U GPS receiver is based on the u-blox UBX-G5000 single chipset and is a one chip solution \citep{ubxDatasheet}. It can be seen on Figure \ref{img:gpsNavilock} with its passive ceramic patch antenna. 1575,42 MHz is the operating frequency of the receiver which corresponds to the L1 civil frequencies and Coarse/Acquisition (C/A) code. The GPS chipset consists of 50 channels, each channel tracks the transmission from a single satellite \citep{understandGPS}. It is important to note, the number of channels inside a GPS receiver interrelates with the amount of time required to get the first fix. Receiver tracking sensitivity is -160 dBm ($10^{-16}$ mW). The GPS receiver communicates with the computer ovet the USB port. Although the GPS receiver uses an USB interface, on the computer it emulates 2 UART ports, which are serial communication interfaces. \begin{figure}[ht!] \centering \includegraphics[scale=0.12]{img/gpsNavlock.jpg} \caption[]{Navilock NL-402U, opened up with the antenna and USB cable} \label{img:gpsNavilock} \end{figure} \section{Cable configuration} \label{sec:hardwareConfig} In the next section, the author will focus on properly connecting the hardware. At least 4 ethernet cables with RJ45 connectors, on both sides, were required and one switch or hub connected to the internet. One should take notice of the cabling between the nanoBTS and the ethernet switch or hub, since wrong cabling with the power supply unit (PSU) could damage one of the devices. In Figure \ref{img:connectionDiagram}, the junction points are label according to the used configuration setting. The ethernet cables between the switch/hub, PSU and nanoBTS should not be longer than 100 m \citep{installnanoBTS}. \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/hardwareConnection} \caption[]{Cable connections, showing interconnection diagram} \label{img:connectionDiagram} \end{figure} \chapter{Implementation} \chapter{Future work} \chapter{Summary} \chapter*{Dictionary of acronyms} \begin{itemize} \item \emph{ARFCN} - Absolute Radio Frequency Channel Number - The channel number specifies the physical frequency channel used for transmission and reception of radio waves inside of an BTS covered area. \item \emph{BTS} - Base Transceiver Station - \item \emph{DC} - Direct Current \item \emph{GNSS} - Global Navigation Satellite System - A satellite navigation system that allows a specialized receive to determine its location on Earth. \item \emph{LED} - Light Emitting Diode - A diode that emitts light. \item \emph{IP Address} - \todo{Write what an IP address is}. \item \emph{PCB} - Printed Circuit Board - The board where electronic components are soldered onto and wired through conductive tracks. \item \emph{RRLP} - Radio Resource Location Protocol - The employed protocol in GSM, UMTS and other wireless networks for providing and exchange of geolocation information. \item \emph{SMA} - SubMiniature version A - SMA is a connector used for interconnecting coaxial cables or PCB electronics that work in the frequency range between 0-18 GHz. \item \emph{TIB} - Time Interface Bus - The TIB is used to provide the synchronization of the clock, frequency and frame number between the nanoBTS when operating in a single 2-4 BTS configuration. \item \emph{TRX} - \item \emph{UART} - Universal Asynchronous Receiver Transmitter - A serial communication interface used by computers or other peripheral devices to communicate. \item \emph{UMTS} - Universal Mobile Telecommunications System - Third generation mobile network based on the GSM standards. \end{itemize}