\setchapterpreamble[u]{% \dictum[Stobaeus] {What use is knowledge if there is no understanding?} } \chapter{Introduction to GSM and GPS} \section{Motivation} \section{Goals of the thesis} The goal of the following thesis is to: - implement the Radio Resource Location Protocol inside of OpenBSC, to the extent of delivering correct GPS assistance data to cell phone subscribers inside the GSM network - test the protocol on 5-10 different smart phones - describe and analyse the background processes taking place inside of the cell phone \chapter{GPS \& Assisted-GPS} In the new global economy age, GPS positioning has become of important value for various services and businesses. It has been growing at a rate of 30\% in the past few years and the application market is expected to be worth \euro 240 billion by 2020 only in Europe \citep{gpsMoney}. The goal of this chapter is to bring more details and insights of how GPS receivers work. The chapter is divided in few sections that explain how the data are modulated before transmission, demodulated on the receiver, how the search space works, how the target user position is estimated and the errors that can influence the overall working of the system. \begin{figure}[ht!] \centering \includegraphics[scale=0.38]{img/satelliteRanges.pdf} \caption[]{GPS Simple working principle, a) example in 3D space with spheres b) example in 2D space with circles.} \label{img:GPSSimplePrinciple} \end{figure} In this paragraph the general idea will be given how GPS works and how the position is estimated. Before all the details are revealed in the following sections, it is important to understand the basic principle of GPS navigation. GPS positioning works by using the principle of \textit{trilateration}. Distances from the satellites to the GPS receiver are measured and from these distances receiver's position is estimated. The distances are estimated by measuring the signal propagation time between the satellites and the receiver, this position estimation technique is also known as time-of-arrival (TOA) method. Once sufficient amount of measurements from different satellites were generated, the position of the receiver can be approximated. It is important to understand that the positions from the satellites need to be known. The general principle of this idea can be seen in figure \ref{img:GPSSimplePrinciple}, picture \textit{a)} represents the idea with spheres in 3D space and picture \textit{b)} the same idea but in 2D space. The blue, yellow and green wireframes below the GPS satellites represent the spheres for a given range, between the satellite and the GPS user, where the user might be located. By intersecting all the three spheres, the position of the user is estimated. In the next sections this general idea will be developed in more details step by step and the ideas will be verified using the appropriate mathematical models. \section{GPS data and signal modulation} The aim of this section is to give the reader an overview of the transmitted GPS data and to understand what type of processing takes place on the GPS satellite itself. As mentioned in the paragraph earlier, to estimate the position of the GPS receiver, it is important to know the position of the satellite at the moment of signal transmission. Prior to releasing the data in the athmosphere, they need to be modulated in order for the GPS receiver to receive and demodulate them. Each one of the GPS satellites transmits the same type of information. The transmitted data are called \textit{frames} \citep{9780817643904}. One frame of data can be seen in figure \ref{img:gpsframe}. Every of the 25 transmitted frames can be divided into five subframes of 300 bits length \citep{diggelen2009a-gps}. The data in the frames are called \textit{navigation data} because using them the GPS receiver can estimate user's position. \begin{figure}[ht!] \centering \includegraphics[scale=0.60]{img/NAV-Message.pdf} \caption[]{One frame of 1500 bits on L1 frequency carrier} \label{img:gpsframe} \end{figure} Each subframe can be divided into three fields of data, as shown in figure \ref{img:gpssubframe}, telemetry (TLM) as well as handover (HOW) word and rest of data. TLM is the first word of the subframe and consists of a unique preamble used to synchronize and identify the subframes \citep{9780817643904}. HOW is the second word of the subframe and consists of the \textit{GPS system time} and subframe ID \citep{9780817643904}. GPS system time is the time the atomic clocks on the satellite generate at the moment of subframe broadcast \citep{GPS-Interface-Specification}. The third segment of the subframe, indicated as rest of data in figure \ref{img:gpssubframe}, consists of the navigation data. The first subframe includes data about the satellite accuracy and health as well as parameters used for the clock corrections on the receiver side. More details on these parameters will be given in section \ref{sec:SigDemod}. Subframe two and three are made of \textit{ephemeris data}. Ephemeris information are precise parameters for predicting the precise orbital position of the GPS satellite. Using ephemeris data for the specific system time stamp and the equations given in appendix section \ref{sec:gpsConsAndEq} the GPS receiver can precisely estimate the position $(x_s,y_s,z_s)$ of the satellite. The first three subframes are satellite dependent and do not change in the transmitted 25 frames beside the system time stamp \citep{GPS-Guide}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/GPSSubframe.pdf} \caption[]{Subframes always start with telemetry and handover words} \label{img:gpssubframe} \end{figure} Fourth and fifth subframes include \textit{almanac data}, low-precision clock corrections, ionospheric model and UTC time calculation parameteres. Almanac information are rough coarse parameters for predicting the orbital position of the GPS satellites. These low-precision parameters are used by the GPS receiver to estimate the rough position of the GPS satellites and to reduce the searching space for the GPS satellite transmission frequencies\footnote{Although all satellites transmit on the same one frequency, when the signals are received on Earth, they have a different frequency from the transmitted one. This will be further explained in more details in the following sections \ref{sec:Carrierdemod}, \ref{sec:CAdemod} and \ref{sec:2dSearch}.} and obtaining the precise ephemeris data. Ionospheric model and UTC time calculation parameters are required by the GPS receiver to refine the calculation of delays through the ionosphere \citep{9780817643904}. The reason why there are 25 frames is because of the last two subframes, four and five. Subframes four and five have data which cycle through the 25 frames, i.e. almanac data are transmitted for all the GPS satellites in case the receiver found only one satellite and once it collected all almanac data, it can precisely search for other GPS satellites. These 25 frames create a masterframe. Once the 25 frames have been transmitted, the process is repeated from the start. The just mentioned data are modulated in real time at the moment of transmission. The transmitted signal after the RF frontend is given in equation \eqref{eq:GPSSignalReceived} \citep{1656803}. \begin{equation} \label{eq:GPSSignalReceived} S(t) = \sqrt{\frac{P}{2}}d_{C/A}cos(2\pi f_{c}+\varphi_{SV}) + n(t) \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.60]{img/GPS-Modulation.pdf} \caption[]{Modulation of the GPS signal L1} \label{img:gpsmod} \end{figure} \section{GPS signal acquisition and demodulation} \label{sec:SigDemod} The GPS satellites\footnote{Satellites are named as space vehicles and the abrevation SV is used in the equation notations to denote a parameter related to the satellite itself.} orbiting our planet, at a distance of approximately $20200 \, km$, are equiped with precise atomic clocks \citep[Chapter 2.7]{diggelen2009a-gps}. These atomic clocks are calibrated and maintained on a daily basis by the U.S. Air Force \citep{GPS-Pentagon}. The time the atomic clock generate, refered earlier as GPS system time, denoted as $t_{SV}$, is generated as a time stamp at the moment of the subframe broadcast \citep{GPS-Interface-Specification}. In addition to the broadcast time, subframe 1 contains parameters to account for the deterministic clock errors embedded in the broadcasted GPS system time stamp. These errors can be characterized as bias, drift and aging errors \citep{GPS-Interface-Specification}. The correct broadcast time, denoted as $t$, can be estimated using the model given in equation \eqref{eq:timecorrection1} \citep{GPS-Interface-Specification}. In equation \eqref{eq:timecorrection2}, where the GPS receiver is required to calculate the satellite clock offset, denoted as $\Delta t_{SV}$, a number of unknown terms can be seen. These terms are encapsulated inside of the transmitted frames. The polynomial coefficients: $a_{f0}$ - \textit{clock offset}, $a_{f1}$ - \textit{fractional frequency offset}, $a_{f2}$ - \textit{ fractional frequency drift}; and $t_{0c}$ - \textit{reference epoch} are encapsulated inside of subframe 1. The only remaining unknown term left in equation \eqref{eq:timecorrection2} is the \textit{relativistic correction term}, denoted as $\Delta t_{r}$. $\Delta t_{r}$ can be evaluated by applying the equation given in \eqref{eq:timecorrection3}. $F$ is a constant calculated from the given parameters in \eqref{eq:paramconst1} and \eqref{eq:paramconst2}, whereas $e$, $\sqrt{A}$ and $E_{k}$ are \textit{orbit parameters} encapsulated in subframe 2 and 3 \citep{GPS-Interface-Specification}. \begin{equation} \label{eq:timecorrection1} \centering t=t_{SV}-\Delta t_{SV} \end{equation} \begin{alignat}{4} & \Delta t_{SV} &= \;& a_{f0} + a_{f1}(t_{SV}-t_{oc}) + a_{f2}(t_{SV}-t_{oc})^{2} + \Delta t_{r} \label{eq:timecorrection2} \\ & \Delta t_{r} &= \; & Fe\sqrt{A}\sin{E_{k}} \label{eq:timecorrection3} \\ & F &= \;& \frac{-2\sqrt{\mu_{e}}} {c^{2}} = -4.442807633 \cdot 10^{-10} \frac{s}{\sqrt{m}} \label{eq:timecorrection4} \end{alignat} Nevertheless, the broadcast satellite time information is not sufficient to estimate the precise time at the moment of the signal arival. Even though the signal arrives in approximately\footnote{Propagation time depends on user and GPS satellite position.} $77 \, ms$, the precision of the atomic clock is in the range of 10 ns \citep[Chapter 2]{diggelen2009a-gps}. Undoubtedly the signal propagation (travel) time, denoted as $t_{prop}$, has to be taken into account. In that case, the exact time at the moment of arival is known, denoted as $t_{exact}$ and is given in equation \eqref{eq:exactTime}. The signal propagation time must be known to estimate the distance from the satellite but is not sufficient to estimate the position of the GPS receiver. More importantly, $t_{exact}$ time will be later used to synchronize various time dependent systems like the GSM, LTE, GNSS or other communication and ranging systems. \begin{equation} \label{eq:exactTime} t_{exact} = t_{prop}+t \end{equation} \subsection{Carrier wave demodulation} \label{sec:Carrierdemod} In order to calculate the signal propagation time between the satellite and the receiver, the internal sine wave synthesizer inside of the receiver has to be synchronized with the carrier sine wave generator of the GPS satellite \citep{4560215}. In other words, the identical carrier wave replica has to be generated on the receiver as on the satellite \citep{736341}. However, the received signal is not the equivalent of the transmitted signal. Due to the nature of the Doppler effect\footnote{Doppler effect is a phenomenon that happens as a result of relative motion of the two bodies, transmitter and receiver, towards or away from each other and causes frequency shift of the electromagnetic wave \citep[Chapter 4]{3540727140}.} and wave propagation, the transmitted signal arrives phase disordered at the receiver \citep{4560215}. This phase disorder is a consequence of the relationship between the instantaneous frequency and instantaneous phase according to equations \eqref{eq:freqPhase} and \eqref{eq:phaseFreq}. \begin{equation} \label{eq:freqPhase} f(t)=\frac{1}{2\pi}\frac{\partial}{\partial t}\phi(t) \end{equation} \begin{equation} \label{eq:phaseFreq} \phi(t) = 2\pi \int_{-\infty}^{t} f(\tau) d\tau \end{equation} Considering that the GPS satellites orbit the Earth with a speed of around $3.9 \, km/s$, the Earth rotates around its axis and the target user with the GPS receiver may move as well, the Doppler effect is unavoidable. The observed phase at the receiver antenna, denoted as $\varphi_{o}$, can be described using the equation given in \eqref{eq:phaseShift}, where $\varphi_{GPS}$ represents the known satellite carrier wave phase, $\delta \varphi_{SV}$ the clock instabilities on the GPS satellite, $\varphi_{a}$ the phase shift error caused by propagation delays in the ionosphere and troposphere respectively, $\delta \varphi_{DE}$ the phase shift caused by the Doppler effect and $\delta \varphi_{w}$ is the wideband noise phase shift. \begin{equation} \label{eq:phaseShift} \varphi_{o} = \varphi_{GPS}+ \delta\varphi_{SV} + \varphi_{a} +\delta \varphi_{DE} + \delta \varphi_{w} \end{equation} The task of the demodulation process is to generate a replica carrier wave with the matching phase shift and mix it with the incoming signal. In the ideal case the observed phase on the antenna and the generated phase on the receiver, denoted as $\varphi_{rec}$, cancel each other out, that is to say, equation \eqref{eq:phaseIdealCase} equals zero. The circuit responsible for generating the same carrier wave is the phase locked loop (PLL). The PLL modifies the synthesized wave parameters such that, $\lim \Delta \varphi \approx 0$. \begin{equation} \label{eq:phaseIdealCase} \Delta \varphi = \varphi_{o} - \varphi_{rec} \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/Phase-Diff.pdf} \caption[]{Two equivalent carrier waves with the same frequency but different phase shift} \label{img:phaseShift} \end{figure} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/L1-Demodulation.pdf} \caption[]{Demodulation of the L1 GPS signal} \label{img:L1Demod} \end{figure} This is straightforward to understand by looking at the multiplication of two sine waves. The GPS L1 signal demodulator at the receiver is depicted in figure \ref{img:L1Demod}, the incoming signal L1 is multiplied with the synthesized sine wave (multiplication is the function of a mixer, denoted as $\otimes$ in figure \ref{img:L1Demod}). For the purpose of easier analysis, cosine waves will be used istead of sine waves, the difference between them is only in the phase shift, as denoted in equation \eqref{eq:sineEqCosine}. \begin{equation} \label{eq:sineEqCosine} \sin(\pm x) = \cos\bigg(\frac{\pi}{2} \pm x\bigg) \end{equation} Multiplication of two cosine waves, as in equation \eqref{eq:multCosin}, can be derived by adding $\cos(A+B)$ and $\cos(A-B)$, as respectively given in equations \eqref{eq:cos1} and \eqref{eq:cos2}. \begin{equation} \label{eq:multCosin} \cos(A)\cdot\cos(B) = \frac{1}{2}\cos(A-B)+\frac{1}{2}\cos(A+B) \end{equation} \begin{equation} \label{eq:cos1} \cos(A+B) = \cos(A)\cos(B)-\sin(A)\sin(B) \end{equation} \begin{equation} \label{eq:cos2} \cos(A-B) = \cos(A)\cos(B)+\sin(A)\sin(B) \end{equation} The incoming GPS L1 signal with a frequency $f_{1}$, given in figure \ref{img:L1Demod}, can be written as $d_{C/A}\cos(\omega_{1}t)$, where $\omega_{1}=2\pi f_{1}$ is the angle frequency and $d_{C/A}$ is the C/A data (navigation message modulated with the PRN code), $d_{C/A}=d_{PRN}\oplus d_{NAV}$. If equation \eqref{eq:multCosin} is rewritten with the received GPS signal L1 and synthesized wave with a frequency $f_{2}$, the equation results the one given in \eqref{eq:cosResult} \begin{equation} \label{eq:cosResult} d_{C/A}\cdot\cos(\omega_{1}t)\cos(\omega_{2}t) = \frac{1}{2}d_{C/A}\cdot\cos(\omega_{1}t-\omega_{2}t) + \frac{1}{2}d_{C/A}\cos(\omega_{1}t+\omega_{2}t) \end{equation} This leaves the resulting signal with two frequency terms, a low frequency term $(\omega_{1}t-\omega_{2}t)$ and a high frequency term $(\omega_{1}t+\omega_{2}t)$, the $t$ can be taken in front of the bracket as it is a common multiplier. The high frequency term, $(\omega_{1}+\omega_{2})$, can be filtered out using a low-pass filter\footnote{A low-pass filter passes low frequency signals and attenuates high frequency signals. In other words, signals higher than the specified cutoff frequency of the low-pass filter, are cut off by reducing their amplitudes.}. Ideally, the difference of the angle frequencies is zero, as in equation \eqref{eq:delaOmega}, since $\cos(\Delta \omega)=\cos(0)=1$ and the remaining left signal is only the C/A code multiplied with the DC term (zero frequency producing a constant voltage) leaving only $\frac{1}{2}d_{C/A}$. \begin{equation} \label{eq:delaOmega} \Delta \omega = \omega_{1}-\omega_{2} = 0 \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/PRN-PhaseShiftAfterDemod.pdf} \caption[]{Effects of the low frequency term on the demodulated output C/A wave on the GPS receiver (the explanations and figures are from top to bottom). If the synthesized frequency is correct, $f_{1}=f_{2}$, the low frequency term becomes a DC term and does not modify the output $d_{C/A}$ wave (first figure). If the frequency matches but the phase not, in this case the phase is shifted for $\pi$, then $d_{C/A}$ is inverted (second figure). If the phase shifts with time, then the amplitude and phase of $d_{C/A}$ will vary as well (third figure).} \label{img:multCAPhase} \end{figure} However, if the frequencies do not match, $f_{1}\neq f_{2}$, then the output signal $\frac{1}{2}d_{C/A}$ will be modified by the residual frequency $f_{1}-f_{2}$, and subsequently will change the demodulated C/A output (also known as phase shift). Under those circumstances the correlator will be unable to match the C/A code with the correct PRN code. An illustration of this phenomenon is depicted in figure \ref{img:multCAPhase}. \subsection{C/A wave demodulation} \label{sec:CAdemod} As a result of the previous step, one can continue with the demodulation of the C/A wave. Each tracked GPS satellite signal is demodulated seperately using the same PRN code, code chipping rate and carrier frequency-phase (which was determined above) for the given satellite \citep[Chapter 4]{understandGPS}. The PRN codes for each GPS satellite is well defined and known by the GPS receiver. The receiver has to generate the same PRN code with matching code chipping rate (phase) of the transmitted C/A code, this is depicted in figure \ref{img:prnCodeCompare} \citep[Chapter 5]{understandGPS}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/PRN-ChipRate.pdf} \caption[]{Comparison between the original C/A code generated on the GPS satellite with two synthesized PRN codes with a different phase shift on the receiver.} \label{img:prnCodeCompare} \end{figure} For the particular example, the matching phase shift was achieved with the second replica PRN code, with a phase shift of $\tau=0$ but there could be a case with any other value of $\tau$, $\tau\in[0,1023]$. Implementation of the PRN code synthesizer depends on the GPS receiver manufacturer but it is usually implemented as a linear feedback shift registers (LFSR) that produces an output according to a predefined function $f(\tau)$. This function, $f(\tau)$, generates an PRN code, that is delayed in phase by $\tau$, where $\tau$ is a multiple of the chipping rate period $T_{c}=977.5 \,ns$. The chipping period $T_{c}$ can be derived from equation \eqref{eq:chipPeriod}. The time required to find a matching PRN code shift, $\tau$, is proportional to the amount of LFSR on the system \citep[Chapter 3]{bensky2008wireless}. Clearly with more LFSRs the required time for finding the matching phase shift increases. \begin{equation} \label{eq:chipPeriod} T_{c} = \frac{1}{f_{PRN}} = \frac{1}{1.023\cdot 10^6} \end{equation} To determine whether the synthesized PRN code, matches the incoming C/A code of the received satellite signal, known correlation properties of PRN codes are used. Since the PRN code is modeled as a sequence of +1's and -1's, the autocorrelation of a signal is at its maximum if it is in phase, i.e. summing up the sequence products yields the absolute maximum value. As an illustration of the idea, an example is given in figure \ref{img:correlatingSignals}. The cross-correlation of the incoming C/A code with the first synthesized PRN code produces a result of $-3=(+1)\cdot(-1)+(-1)\cdot(+1)+(+1)\cdot(-1)+(+1)\cdot(+1)+(-1)\cdot(+1)$, whereas the cross-correlation of the incoming C/A code and the second synthesized PRN code yields a result of $+5=(+1)\cdot(+1)+(-1)\cdot(-1)+(+1)\cdot(+1)+(+1)\cdot(+1)+(-1)\cdot(-1)$. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/Correlation.pdf} \caption[]{Cross-correlation on three different signals} \label{img:correlatingSignals} \end{figure} The same principle applies to the sent C/A and PRN code sequences in the GPS receiver and thus can be modeled using the equation given in \eqref{eq:autocorrelationProperty}, where $G_{i}(t)$ is the C/A code Gold code sequence as a function of time $t$, for the GPS satellite $i$; $T_{C/A}$ is the C/A chipping period of $977.5 \,ns$ and $\tau$ is the phase shift in the auto-correlation function \citep[Chapter 4]{understandGPS}. \begin{equation} \label{eq:autocorrelationProperty} R_{i}(t) = \frac{1}{1023\cdot T_{C/A}} \int_{t=0}^{1023} G_{i}(t)G_{i}(t+\tau)d\tau \end{equation} Another correlation property of the PRN codes comes in useful, the fact that in the ideal case the cross-correlation of two different PRN codes yields a result of zero. The ideal case can be modeled as in equation \eqref{eq:prnIdealCaseZero}, \begin{equation} \label{eq:prnIdealCaseZero} R_{ij}(\tau) = \int_{-\infty}^{+\infty} PRN_{i}(t)PRN_{j}(t+\tau)d\tau = 0 \end{equation} where $PRN_{i}$ is the PRN code waveform for GPS satellite $i$ and $PRN_{j}$ is the PRN code waveform for every other GPS satellite other than $i$, $i\neq j$ \citep[Chapter 4]{understandGPS}. Equation \eqref{eq:prnIdealCaseZero} ``states that the PRN waveform of satellite $i$ does not correlate with PRN waveform of any other satellite $j$ for any phase shift $\tau$'' \citep[Chapter 4]{understandGPS}. Without the property given in \eqref{eq:prnIdealCaseZero}, the GPS receiver would not be able to smoothly differentiate between different GPS satellite signals. Once the phase shift, $\tau$, has been found, the C/A code is modulated (XORed) with it. The resulting binary code will be the navigation message. The implementation problem of finding correct C/A and carrier wave demodulation will be further explained in the following section \ref{sec:2dSearch}. \subsection{Implementation of the 2D search space problem} \label{sec:2dSearch} In the following paragraphs an introduction will be given on the implementation problems of the previously mentioned concepts. As it can be seen, from subsections \ref{sec:CAdemod} and \ref{sec:Carrierdemod}, decoding the GPS navigation message is a 2D search space problem for each GPS satellite signal acquisition. The 2D search space is limited by well known physical properties of the GNSS system such as the motion speed of GPS satellites and the receiver as well as the frequency oscillator on the receiver. GPS satellites move toward or away from the GPS receiver with a speed of $800 \, \mathrm{m/s}$ \citep[Chapter 3]{diggelen2009a-gps}. The Doppler effect on the frequency of the satellite can be estimated using equation \eqref{eq:dopplerEffectSpeed}, where $f_{e}$ is the emitting frequency (L1), $v_{SV}$ is the speed of the satellite towards (away from) the receiver and $c$ is the speed of light. \begin{equation} \label{eq:dopplerEffectSpeed} f_{DE} = f_{e}\frac{v_{SV}}{c} \end{equation} Inserting the appropriate values in equation \eqref{eq:dopplerEffectSpeed} yields a result of $\approx4.2 \, \mathrm{kHz}$, for $800 \, \mathrm{m/s}$ and $\approx-4.2 \, \mathrm{kHz}$ (if the satellite moves away from the GPS receiver then the speed is taken as negative). This makes a range of $\approx8.4 \mathrm{kHz}$. The Doppler effect of the GPS receiver motion can be ignored since for each $1 \, \mathrm{km/h}$ of movement, it affects the frequency range for $\approx 1.46 \mathrm{Hz}$. On the other hand, the frequency offset induced by the reference oscillator in the GPS receiver can not be ignored. The frequency search space is ``additionaly affected for $1.575 \, \mathrm{kHz}$ of unknown frequency offset for each $1 \, \mathrm{ppm}$ (\textit{parts per million}) of the unknown receiver oscillator offset'' \citep[Chapter 3]{diggelen2009a-gps}. The reference oscillators in GPS receivers have typically an offset of $\pm0.5, \pm1, \pm2, \pm3, \mathrm{or} \pm5 \,\mathrm{ppm}$ \citep{daishinku}, \citep[Chapter 3]{diggelen2009a-gps}, the standard in smart phone design has been set to $\pm 2.5 \, \mathrm{ppm}$ \citep{oscillatorGPSSmarthPhone}. In the worst case this makes the unknown frequency to be in range of $10 \, \mathrm{kHz}-25 \, \mathrm{kHz}$. \begin{figure}[ht!] \centering \includegraphics[scale=0.70]{img/2D-SearchSpaceInk.pdf} \caption[]{Segment of the frequency/code delay search space for a single GPS satellite} \label{img:prnSearchSpace3d} \end{figure} A typical receiver searches in frequency bands, bins of several hundred Hz regions \citep{1656803}. Commonly used frequency bin size is $500 \, \mathrm{Hz}$, therefore there are about 20-50 bins to search \citep[Chapter 3]{diggelen2009a-gps}. The frequency search bin (band) size is a function of the desired peak magnitude loss (signal to noise ration) due to the frequency mismatch and integration time period. Larger frequency bands mean a smaller number of bins to search but a greater correlation peak magnitude loss. The frequency search bin size can be estimated using the frequency mimsmatch loss sinc function given in equation \eqref{eq:mistunigLoss} \citep{implSoftGPSRec}, \citep[Chapter 6]{diggelen2009a-gps}, where $\Delta f$ is the frequency mismatch in $\mathrm{Hz}$, in other words it represents the difference between the received signal frequency and the synthesized carrier frequency on the receiver; and $T_{c}$ is the coherent integration time (usually $0.5\, ms$ according to \citep{implSoftGPSRec} and \citep[Chapter 3]{diggelen2009a-gps} but depends on the implementation). \begin{equation} \label{eq:mistunigLoss} D_{F} = \left\vert \frac{\sin(\pi \Delta fT_{c})}{\pi \Delta fT_{c}} \right\vert \end{equation} The frequency mimsmatch loss sinc function, $D_{F}$, is evaluated in dB, therefore for a loss of $\approx 0.98 \,\mathrm{dB}$, the frequency mismatch ought to be $\Delta f = 250\, \mathrm{Hz}$, due to the fact that the maximum loss will occur when the frequency is differing by 1/2 of the bin spacing. That is to say, for a bin space of 500 Hz, it is 250 Hz. ``The total range of possible GPS code delays is $1\, ms$. This is because the GPS C/A PRN code is $1 \,ms$ long, and then it repeats. The PRN code chipping rate is $1.023 \,\mathrm{MHz}$, and there are 1023 chips in the complete $1\, ms$ epoch'' \citep[Chapter 3]{diggelen2009a-gps}. %Size of the frequency %bin is inversely proportional to the ratio between the amplitude of the detected %peak and other non-peak values, %the smaller the bins are the higher the peak will be. For the purpose of better understanding, a segment of the frequency/code delay search space is shown in figure \ref{img:prnSearchSpace3d}. The peak implies the correct frequency and code delay have been found. In figure \ref{img:prnSearchSpace3d} smaller frequency bins have been used so that the concept becomes understandable to the reader. The speed of searching the 2D search space (finding the peak) depends on the complexity and strategy of the implemented algorithm \citep[Chapter 6]{9780817643904}. In the worst case, there are in total 102300 conbinations in the search space, this can be derived from equation \eqref{eq:totalSearch}, visually shown in figure \ref{img:SearchSpace2d}. \begin{equation} \label{eq:totalSearch} \mathrm{Search \, Space} = 50 \,\mathrm{(bins)} \cdot 1023\, \mathrm{(C/A \,codes)} \cdot 2\, \mathrm{(Phases\, per\, C/A\, chip)} \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/2DSearchSpace.pdf} \caption[]{The total search space} \label{img:SearchSpace2d} \end{figure} The common strategy is to start searching from the middle frequency bins and to jump up and down until the entire search space has been exhausted (first 500 Hz, second -500 Hz, then in the 1000 Hz bin and then in the -1000 Hz bin) \citep[Chapter 3]{diggelen2009a-gps}. This procedure is performed when no extra information are known by the receiver, i.e. first time the GPS receiver is turned on. It is known under the name of cold start. There are three different working mechanisms when it comes to searching for the GPS satellites. If no information are known, when some information are known and when almost all information are known. These three modes are known as cold (as mentioned earlier), warm and hot start. They differ from each other by the amount of known information by the GPS receiver. Cold start indicates the GPS receiver has no almanac, ephemeris, oscillator offset and time data. In order to track the satellites faster next time the GPS receiver is started, it stores the previously mentioned data (last known almanac, ephemeris, oscillator offset, time and position data) in its electrically erasable programmable read only memory (EEPROM). This type of start is known as a warm start, provided that the data in the receivers' EEPROM are not older than 180 days and its real time clock counter was constantly updated. In this case, the receiver uses the previously saved information to estimate the position of the satellites, therefore the Doppler effects can be estimated. As a consequence of the known Doppler effect, the frequency bin where to start the search first is known as well \citep[Chapter 3]{diggelen2009a-gps}. In the same way works the hot start, only the time is precisely known in accuracy of submilliseconds. \section{Distance and position estimation} This section will focus on examining the distance and position estimation inside of the GPS receiver. GPS system, as mentioned earlier, takes advantage of the time of arrival (TOA) ranging concept to determine user position. Time is measured how long it takes for a signal to arrive from a known location. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/Localization.pdf} \caption[]{Basic position estimation principle for one satellite} \label{img:SatLocalization} \end{figure} In figure \ref{img:SatLocalization} an example concept can be seen where $\vec{u}=(x_u,y_u,z_u)$ represents the GPS user position vector with respect to Earth-Centered, Earth-Fixed\footnote{ECEF is a Cartesian coordinate system where the point $(0,0,0)$ is defined as the center of mass of the Earth \citep{earthCoordinates}.} (ECEF) coordinate system, $\vec{r}$ is the distance vector from the satellite to the user and $\vec{s}=(x_s,y_s,z_s)$ represents the GPS satellite position with respect to ECEF at a timepoint. Vector $\vec{s}$ is computed from ephemeris data broadcasted by the satellite. Distance vector $\vec{r}$, satellite to user, can be computed using equation \eqref{eq:r} and its magnitude is given in equation \eqref{eq:rMag}. \begin{equation} \label{eq:r} \vec{r}=\vec{s}-\vec{u} \end{equation} \begin{equation} \label{eq:rMag} r=\Vert s-u\Vert \end{equation} The geometric distance of $r$ is computed by measuring the signal propagation time, this is illustrated in figure \ref{img:TimingLoc} and it was mentioned in section \ref{sec:CAdemod}. The PRN code generated on the GPS satellite at time $t_1$ arrives at the time $t_2$, the difference between these two time stamps, $\Delta t$, represents the propagation time. By multiplying the propagation time, $\Delta t$, with the speed of light, $c$, the geometric distance $r$ is computed, as given in equation \eqref{eq:rDist}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/TimingLoc.pdf} \caption[]{Estimating the distance by phase shift $\Delta t =t_2 - t_1 =\tau$} \label{img:TimingLoc} \end{figure} \begin{equation} \label{eq:rDist} r=c\Delta t \end{equation} Since the clocks are not synchronized, as described in sections \ref{sec:SigDemod} and \ref{sec:2dSearch}, clock error offsets have to be added to the geometric distance $r$. This new distance is called \textit{pseudorange}, $\rho$, because the range is determined using the difference of two nonsynchronized clocks (one on the GPS satellite and the other one on the receiver) that generate PRN codes\footnote{pseudo - Not genuine; sham; not perfect.}. Pseudorange is calculated as given in equation \eqref{eq:rho}, where $t_{u}$ is the advance of the receiver clock with respect to the system time\footnote{System time is the exact time on Earth and it is the most precise time known!} and $\delta t$ is the offset of the satellite clock from the system time \citep{understandGPS}. \begin{equation} \label{eq:rho} \rho=r + c(t_{u}-\delta t) \end{equation} Therefore equation \eqref{eq:rMag} can be rewritten as \eqref{eq:rhoR} with respect to equation \eqref{eq:rho}. \begin{equation} \label{eq:rhoR} \rho - c(t_{u}-\delta t) = \Vert s-u\Vert \end{equation} Offset of the satellite clock from the system time, $\delta t$, is updated from Earth, as mentioned in \ref{sec:SigDemod} and for that reason it can be removed for sake of simplicity, i.e. it is not an unknown term anymore, then the eqaution \eqref{eq:rhoR} can be rewritten as \eqref{eq:rhoNew}. \begin{equation} \label{eq:rhoNew} \rho - ct_{u} = \Vert s-u\Vert \end{equation} In order to estimate the user (GPS receiver) position, advance of the receiver clock with respect to the system time, $t_u$, has to be found, in other words equation \eqref{eq:rhoSats} has to be solved, where $i$ is the index of visible satellites at the moment of signal reception \citep{understandGPS}. \begin{equation} \label{eq:rhoSats} \rho_i= \Vert s_i-u\Vert + ct_u \end{equation} The estimated position of the user, $\vec{u}=(x_u,y_u,z_u)$, is a three dimensional vector and as mentioned above the clock offset, $t_u$, is unknown as well. This four dimensional space requires to have at least four pseudorange equations \eqref{eq:rhoSats} to find all the four unknown terms. As a result of this fact, at least four satellites have to be visible at the same time to estimate the position of the target user. Equation given in \eqref{eq:rhoSats} takes the form in \eqref{eq:rhoSatsNew} because the coordinate system is Cartesian and $\rho_i$ is nothing else but Euclidean distance where $i=1,2,...,n$ such that $n\geq4$ and $\vec{s_i}=(x_i,y_i,z_i)$ is the satellite position estimated from the ephemeris data. \begin{equation} \label{eq:rhoSatsNew} \rho_i= \sqrt{(x_i-x_u)^2+(y_i-y_u)^2+(z_i-z_u)^2} + ct_u \end{equation} Undoubtedly, the given equation in \eqref{eq:rhoSatsNew} is a nonlinear equation\footnote{Nonlinear equations, also known as polynomial equations, are equations that cannot satisfy both of the linearity properties: additivity $f(x+y)=f(x)+f(y)$ and homogeneity $f(\alpha x) = \alpha f(x)$, $\alpha \in \mathbb{R}$ \citep{nonlinear}.}. It is not straightforward to find explicit solutions of nonlinear equations, it is more difficult than compared to linear equations. There are different techniques to solve sets of nonlinear equations \citep[Chapter 7]{understandGPS} but in this work the linearization method\footnote{Linear approximation is a technique where a function is approximated using a linear function.} will be presented to find the unknown terms $(x_u,y_u,z_u,t_u)$, i.e. out of an approximate position and clock offset the true user position and the true clock offset will be calculated. \begin{equation} \label{eq:rhoSatsNewFun} \rho_i= \sqrt{(x_i-x_u)^2+(y_i-y_u)^2+(z_i-z_u)^2} + ct_u = f(x_u,y_u,z_u,t_u) \end{equation} Let the equation \eqref{eq:rhoSatsNew} for pseudoranges, be rewritten as a function $f$ of four unknown terms $x_u$, $y_u$, $z_u$ and $t_u$, as given in \eqref{eq:rhoSatsNewFun} \citep[Chapter 2]{understandGPS}. Suppose that the approximation of the position and the clock offset are known, denoted as $\hat{x_u}$, $\hat{y_u}$, $\hat{z_u}$ and $\hat{t_u}$, then equation \eqref{eq:rhoSatsNewFun} can be rewritten as an approximate pseudorange \eqref{eq:rhoSatsNewFunApprox}. \begin{equation} \label{eq:rhoSatsNewFunApprox} \hat{\rho_i}= \sqrt{(x_i-\hat{x_u})^2+(y_i-\hat{y_u})^2+(z_i-\hat{z_u})^2} + c\hat{t_u} = f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u}) \end{equation} In other words, the unknown true position terms $x_u$, $y_u$, $z_u$ and the clock offset term $t_u$, of the GPS receiver, will be expressed by the approximate values and an incremental component as shown in equation \eqref{eq:userCoordinates} \citep{understandGPS}. \begin{equation} \label{eq:userCoordinates} \begin{array}{l} x_u = \hat{x_u}+\Delta x_u \\ y_u = \hat{y_u}+\Delta y_u \\ z_u = \hat{z_u}+\Delta z_u \\ t_u = \hat{t_u}+\Delta t_u \end{array} \end{equation} By inserting the terms from \eqref{eq:userCoordinates} into equation \eqref{eq:rhoSatsNewFun}, a new equation is derived as in \eqref{eq:rhoSatsNewFunwithApprox}. \begin{equation} \label{eq:rhoSatsNewFunwithApprox} f(x_u,y_u,z_u,t_u) = f(\hat{x_u}+\Delta x_u, \hat{y_u}+\Delta y_u, \hat{z_u}+\Delta z_,\hat{t_u}+\Delta t_u) \end{equation} In the next step the pseudorange function will be approximated using Taylor series\footnote{Taylor series ``is a representation of a function as an infinite sum of terms that are calculated from the values of the function's derivatives at a single point'' \citep[Chapter 11]{taylor}.} (linearization of the nonlinear equation). Taylor series for a function $f(x)$ is given in equation \eqref{eq:taylor}, where as $a$ approches $x$ the estimation error will be smaller and smaller, i.e. $f(x) = f(a)$ when $x=a$. The approximation error depends on Taylor polynomial degree (the amount of terms or taken derivatives of the function) and how far away the point $a$ is from $x$ \citep[Chapter 11.9]{taylor}. The basic idea of the principle can be seen in figure \ref{img:taylorSeries}. \begin{equation} \label{eq:taylor} f(x) = \sum_{n=0}^{\infty}\frac{f^{(n)}(a)}{n!}(x-a)^n = f(a) + \frac{f'(a)}{1!}(x-a)+\frac{f''(a)}{2!}(x-a)^2+... \end{equation} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/TaylorSeries.pdf} \caption[]{Taylor series approximation for a point $a=0.5$ where $n$ is the Taylor polynomial degree.} \label{img:taylorSeries} \end{figure} Due to the four unknown terms, Taylor series for multivariables have to be used. The general formula is given in equation \eqref{eq:Multitaylor}, where vector $\mathbf{x}\in\mathbb{R}^n$ denotes $n$ variables, $\nabla$ (nabla) is the Del\footnote{Del, $\nabla$, is the vector differential operator.} operator given in \eqref{eq:Del} and $\mathbf{a}$ is the linearization point of interest \citep{multiTaylor}. \begin{equation} \label{eq:Multitaylor} f(\mathbf{x}) \approx f(\mathbf{a}) + \nabla f |_{\mathbf{x=a}} \cdot (x-a) \end{equation} \begin{equation} \label{eq:Del} \nabla^{T} = \left[\frac{\partial}{\partial x_{1}}...\frac{\partial}{\partial x_{n}}\right] \end{equation} One can note that in equation \eqref{eq:Multitaylor} the Taylor series polynomial is of the first degree. This is because of one reason, it linearizes the approximation of the function $f(\mathbf{x})$ at point $\mathbf{a}$ and as a consequence it removes the nonlinearities \citep{understandGPS} \citep[Chapter 11.10]{taylor}, as seen in figure \ref{img:taylorSeries}, for $n=1$ the resulting function is linear. In the previously described step, one would calculate a hyperplane tangent to a point $a$ in a $n$-Dimensional space. By inserting equation \eqref{eq:rhoSatsNewFunwithApprox} in equation \eqref{eq:Multitaylor}, it yields equation \eqref{eq:MultitaylorFour} where $\mathbf{x}=(x_u,y_u,z_u,t_u)$ and $\mathbf{a}=(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})$. \begin{equation} \label{eq:MultitaylorFour} \begin{array}{l} f(\hat{x_u}+\Delta x_u, \hat{y_u}+\Delta y_u, \hat{z_u}+\Delta z_,\hat{t_u}+\Delta t_u) \approx f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u}) \\[0.5em] + \dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{x_u}}\Delta x_u +\dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{y_u}}\Delta y_u \\ +\dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{z_u}}\Delta z_u +\dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{t_u}}\Delta t_u \end{array} \end{equation} The terms from equation \eqref{eq:MultitaylorFour} are solved individually in equations \eqref{eq:MultitaylorDeriv} where $\sqrt{(x_i-\hat{x_u})^2+(y_i-\hat{y_u})^2+(z_i-\hat{z_u})^2}$ has been subsituted with $\hat{r_i}$. \begin{equation} \label{eq:MultitaylorDeriv} \begin{array}{l} \dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{x_u}} = \dfrac{1}{2}\dfrac{-2(x_{i}-\hat{x_{u}})}{\sqrt{(x_i-\hat{x_u})^2+(y_i-\hat{y_u})^2+(z_i-\hat{z_u})^2}} =-\dfrac{x_i-\hat{x_u}}{\hat{r_i}}\\[0.9em] \dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{y_u}} = \dfrac{1}{2}\dfrac{-2(y_{i}-\hat{y_{u}})}{\sqrt{(x_i-\hat{x_u})^2+(y_i-\hat{y_u})^2+(z_i-\hat{z_u})^2}} =-\dfrac{y_i-\hat{y_u}}{\hat{r_i}}\\[0.9em] \dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{z_u}} = \dfrac{1}{2}\dfrac{-2(z_{i}-\hat{z_{u}})}{\sqrt{(x_i-\hat{x_u})^2+(y_i-\hat{y_u})^2+(z_i-\hat{z_u})^2}} =-\dfrac{z_i-\hat{z_u}}{\hat{r_i}}\\[0.9em] \dfrac{\partial f(\hat{x_u},\hat{y_u},\hat{z_u},\hat{t_u})}{\partial \hat{t_u}} = c \end{array} \end{equation} Then by substituting the equation terms from \eqref{eq:MultitaylorDeriv}, \eqref{eq:rhoSatsNewFun} and \eqref{eq:rhoSatsNewFunApprox} into \eqref{eq:MultitaylorFour}, the resulting equation is given in \eqref{eq:MultitaylorDerivAfter}. \begin{equation} \label{eq:MultitaylorDerivAfter} \begin{array}{l} \rho_i = \hat{\rho_i} -\dfrac{x_i-\hat{x_u}}{\hat{r_i}}\Delta x_u -\dfrac{y_i-\hat{y_u}}{\hat{r_i}}\Delta y_u -\dfrac{z_i-\hat{z_u}}{\hat{r_i}}\Delta z_u + c\Delta t_u \end{array} \end{equation} At this step, by solving equation \eqref{eq:MultitaylorFour}, the linearization of the nonlinear equations is completed. \begin{equation} \label{eq:MultitaylorDerivAfterRearange} \begin{array}{l} \hat{\rho_i} - \rho_i = \dfrac{x_i-\hat{x_u}}{\hat{r_i}}\Delta x_u +\dfrac{y_i-\hat{y_u}}{\hat{r_i}}\Delta y_u +\dfrac{z_i-\hat{z_u}}{\hat{r_i}}\Delta z_u - c\Delta t_u \end{array} \end{equation} \begin{equation} \label{eq:SubsTerms1} \Delta\rho = \hat{\rho_i} - \rho_i \\[0.7em] \end{equation} \begin{equation} \label{eq:SubsTerms2} \alpha_{xi} = \dfrac{x_i - \hat{x_u}}{\hat{r_i}} \hspace{1.5em} \alpha_{yi} = \dfrac{y_i - \hat{y_u}}{\hat{r_i}} \hspace{1.5em} \alpha_{zi} = \dfrac{z_i - \hat{z_u}}{\hat{r_i}} \end{equation} By rearanging the equation \eqref{eq:MultitaylorDerivAfter} and by substituting the terms in \eqref{eq:SubsTerms1} and \eqref{eq:SubsTerms2} into \eqref{eq:MultitaylorDerivAfterRearange}, the equation \eqref{eq:MultitaylorDerivAfterRearange} resembles the one given in \eqref{eq:userPosition}. \begin{equation} \label{eq:userPosition} \Delta\rho_i = \alpha_{xi}\Delta x_u + \alpha_{yi}\Delta y_u + \alpha_{zi}\Delta z_u - c\Delta t_u \end{equation} There are four unknowns, $\Delta x_u$, $\Delta y_u$, $\Delta z_u$ and $\Delta t_u$, in equation \eqref{eq:userPosition}. By solving this set of linear equations, which will result in finding $\Delta x_u$, $\Delta y_u$, $\Delta z_u$ and $\Delta t_u$, the GPS receiver position $(x_u, y_u, z_u)$ and clock offset $t_u$ is computed by replacing the same into equations in \eqref{eq:userCoordinates}. Equation \eqref{eq:userPosition} can be rewritten for four satellites in the matrix form as in \eqref{eq:userPositionMatrix}. \begin{equation} \label{eq:userPositionMatrix} \Delta\boldsymbol{\rho} = \boldsymbol{\alpha} \Delta \boldsymbol{x} \end{equation} \begin{equation} \Delta\boldsymbol{\rho}= \begin{bmatrix} \Delta \rho_1 \\ \Delta \rho_2 \\ \Delta \rho_3 \\ \Delta \rho_4 \end{bmatrix} \hspace{1.5em} \boldsymbol{\alpha}= \begin{bmatrix} \alpha_{x1} & \alpha_{y1} & \alpha_{z1} & 1 \\ \alpha_{x2} & \alpha_{y2} & \alpha_{z2} & 1 \\ \alpha_{x3} & \alpha_{y3} & \alpha_{z3} & 1 \\ \alpha_{x4} & \alpha_{y4} & \alpha_{z4} & 1 \end{bmatrix} \hspace{1.5em} \Delta \boldsymbol{x}= \begin{bmatrix} \Delta x_u \\ \Delta y_u \\ \Delta z_u \\ -\Delta ct_u \end{bmatrix} \end{equation} Finally, by multiplying both left sides\footnote{Matrix multiplication is not communitative, $\mathbf{AB\neq BA}$.} of the equation \eqref{eq:userPositionMatrix} with the inverse term of $\boldsymbol{\alpha}$, it yields the result of the unknown terms, as given in equation \eqref{eq:userPositionMatrixFinal}. \begin{equation} \label{eq:userPositionMatrixInverseMult} \boldsymbol{\alpha}^{-1}\Delta\boldsymbol{\rho} = \boldsymbol{\alpha}^{-1}\boldsymbol{\alpha} \Delta \boldsymbol{x} \end{equation} \begin{equation} \label{eq:userPositionMatrixFinal} \Delta \boldsymbol{x} = \boldsymbol{\alpha}^{-1} \Delta\boldsymbol{\rho} \end{equation} Linearization is repeated in a loop, where in the next round the approximate positions are set to the just derived position values, that is, $\hat{x_u}=x_u$, $\hat{y_u}=y_u$, $\hat{z_u}=z_u$ and $\hat{t_u}=t_u$. This process is repeated until the approximated positions converge to their final values. It is not necessarily required that the initial positions are very accurate and the results are usually obtained by 4-5 itterations \citep{pseudorangeError}. Risks exist that the solutions will still be corrupted but there are different error avoiding mechanisms to solve these problems, like minimizing the error contribution using more than four satellite measurements \citep{pseudorangeError} \citep[Chapter 7]{understandGPS}. \section{Assisted GPS in Wireless networks} \label{sec:agps} In the following paragraphs Assisted GPS (A-GPS) will be presented and how it works. A-GPS receivers work on a ``similar principle'' as warm/hot start on GPS receivers. Instead of loading the recently saved data from the EEPROM, an external transfer medium is used to deliver the same type of information that are known at a warm/hot start \citep{755159}, \citep{901174}, \citep{springerlink:10.1007/s10291-002-0028-0}. In this work, the external transfer medium is air and the information are transfered using electromagnetic waves. The existing GSM interface was utilised for the purpose of delivering the data to the smart phone with an A-GPS receiver. The basic scenario can be seen in figure \ref{img:agpsPrinciple}. The BTS station is connected to the global navigation satellite system (GNSS) server, which is directly connected to the GPS reference station. The GPS reference station delivers the GNSS server exact time stamps, approximate location, satellite health as well as clock corrections, ionospheric and UTC model, almanac and ephemeris data \citep{springerlink:10.1007/s10291-002-0028-0}. \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/A-GPS.pdf} \caption[]{Basic A-GPS principle} \label{img:agpsPrinciple} \end{figure} Time stamp is not used in GSM networks since it can be off by several seconds and would require additional equipment for synchronizing the network \citep{springerlink:10.1007/s10291-002-0028-0}, \citep{901174}. However in CDMA networks the time stamp is accurate to within $100 \, \mu s$ \citep{springerlink:10.1007/s10291-002-0028-0}. Approximate location is typically taken to be the location of the BTS from which the target A-GPS receiver acquires the assistance data. Ephemeris and navigation data obtained by the A-GPS receiver help it to estimate the positions of the satellites and they can greatly enhance the sensitivity of the receiver especially in urban environments \citep{springerlink:10.1007/s10291-002-0028-0}. Conventional GPS receivers require at least up to extra $18$ to $30\,s$ to receive and decode the navigation data and to generate a location fix \citep{springerlink:10.1007/s10291-002-0028-0}. The bit error rate associated with gathering and decoding data dramatically decreases since the acquired signals can be attenuated by $10$ to $20\, \mathrm{dB}$ indoors \citep{springerlink:10.1007/s10291-002-0028-0} of the nominal $-130 \,\mathrm{dB}$ on a $3\, dBi$ ``linearly polarized user receiving antenna\footnote{3 dBi antenna indicates an antenna with a gain of $3\, \mathrm{dB}$ with respect to an isotropic (omnidirectional) antenna \citep[Chapter 2]{diggelen2009a-gps}.} (located near ground) at worst normal orientation'' \citep{GPS-Interface-Specification}. A simplified A-GPS algorithm given in \citep{springerlink:10.1007/s10291-002-0028-0} will be presented here. This algorithm benefits in speed the more assistance data is present. As the first satellites are tracked, the A-GPS algorithm has an estimation of the feasible region where the target A-GPS user might be located. Consequently, this feasible region will shrink until the location has been fully estimated \citep{springerlink:10.1007/s10291-002-0028-0}. \begin{enumerate}[(i)] \item Visible satellites and their positions are identified and computed out of the delivered ephemeris and time data. \item For each visible satellite $SV_i$, the code phase, $\tau_i$, is estimated. \item Pseudoranges are calculated for each visible satellite $SV_i$. \item Triangulate the position out of the pseudoranges $\rho_i$. \end{enumerate} Although the A-GPS algorithms can be seen as a set of equations, with more unknowns terms known it is straightforward to solve the set of equations. However, with more of the unknown terms it takes more time to get (decode) them from the satellite messages. One should know various A-GPS algorithms exist, some do not require the exact time component and navigation data to be present in the assistance data \citep{998892}. \section{Error estimation} \chapter{Radio Resource Location Protocol} \chapter {Working} \section{Zitieren..} citep: \citep{multipleTRX} \\ citet: \citet{multipleTRX} \chapter{System} Test test \chapter{Software} Author's test system operated on the ARFCN 877 channel. ARFCN (Absolute Radio Frequency Channel Number) defines the uplink and downlink channel frequency insdide the GSM network \citep{Richard2011Master}. ARFCN 877 corresponds to the uplink frequency of 1,783.2 MHz and a downlink frequency of 1,878.2 MHz, where the uplink direction represents the direction from the nanoBTS to the mobile stations and downlink the opposite direction. The decision to use the ARFCN 877 channel was derived from the fact that the channel was free, measurements were carried out with a spectrum analyser built on the USRP hardware. \chapter{Hardware} In the following chapter the author will introduce the reader to the hardware components used in the thesis. The hardware components will be presented according to their importance of building an operational and functional GSM network with GPS localization capabilities. Firstly the nanoBTS will be introduced since it is the main hardware component used for building a basic GSM network infrastructure. Then a short insight into the used GPS receiver will be given. Additionally the mobile stations used for testing of the system will be reviewed. Finally, a hardware connection diagram will be given. \section{GSM BTS - nanoBTS} In recent years, there has been an increasing interest in deployment of private cellular networks in remote areas or for research which lead to the devolopment of diverse ``low-cost'' GSM hardware solutions. According to ip.access\footnote{http://www.ipaccess.com}, the manufacturer of nanoBTS, their hardware product is deployed for coverage of ``hard-to-reach places; in-buildings; remote areas; marine and aviation; and public spaces''. A nanoBTS with its plastic cover can be seen in Figure \ref{img:nanoBTSPlastic}. Our University GSM network consists of three nanoBTS stations. The deployed nanoBTS in author's thesis works in the 1800 MHz frequency range, for which the University of Freiburg had obtained a licence from the Federal Network Agency (German: $Bundesnetzagentur$). The transmission frequencies range between 1805-1880 MHz, with 200 kHz channel spacing and maximal output power of +13 dBm ($\approx$20 mW)\todo{Check the output powere 20 dBm}, whereas the receiving frequencies lie in the range between 1710-1785 MHz and same channel spacing as for transmission of 200 kHz \citep{nanoGSM2007brochure}. \todo{Add the Abis over IP protocol} \begin{figure}[ht!] \centering \includegraphics[scale=0.50]{img/nanoBTS.jpg} \caption[]{nanoBTS with its plastic cover. Image courtesy of ip.access ltd} \label{img:nanoBTSPlastic} \end{figure} The nanoBTS is equiped with an internal 0 dBi (nominal) omni-directional antenna. However, two external antennas sized 30x36 mm, one for transmission (TX) and the other one for reception (RX) of radio waves were used to extend the coverage area. These antennas are connected via the SMA connectors. By using an RF amplifier and larger antennas, for these frequency ranges, the covered area with the GSM signal reception can be increased. For the gain estimation and radiation angle of the used antennas the measurement equipment was missing and therefore was not conducted and described in this work.\todo{Check for what NWL is} At the bottom of the nanoBTS there are 5 ports, as seen in Figure \ref{img:nanoBTSPorts}. The ports from left to right are: voltage supply, ethernet cable with power supply, USB port, TIB-IN and TIB-OUT. In the next paragraph a brief overview of each port will be given. \begin{figure}[ht!] \centering \includegraphics[scale=0.15]{img/nanoBTSPorts.jpg} \caption[]{nanoBTS with two external antennas and five connection ports} \label{img:nanoBTSPorts} \end{figure} The left most port is the power supply port used for supplying the nanoBTS with 48 V DC and is optionally used depending on the cable configuration. In author's hardware configuration the power supply port is not used. The following port is for the ethernet connection with 48 V DC power supply. This port is connected to a power supply that is supplied with the nanoBTS. It extends the ethernet connection with 48 V DC for the normal operation mode of the nanoBTS which is in the range between 38-50 V DC. The power consumtion of the nanoBTS is 13 W. More details on how to interconnect the cables will be given in section \ref{sec:hardwareConfig}. In the middle of the five port region, the mini USB port can be found. It is used by the manufacturer to write the firmware software to the nanoBTS. The last two ports are the TIB-IN and TIB-OUT port\footnote{TIB stands for Timing Interface Bus}. These two ports are used if the GSM network operator requires more than 11 channels to increase the overall capacity of the network. ``Up to 4 nanoBTS can be combined into a multiple TRX cell, increasing the number of supported users per TRX by up to 200\%. The TIB-OUT from the Master TRX must be connected to the TIB-IN of the slave TRX. This in turn has its TIB-OUT connected to the next TRX in the chain'' \citep{multipleTRX}. The multiple TRX cell configuration will not be further discussed in this work since the purpose of the work was not to boost the capacity of a GSM network but implementation and testing of the RRLP protocol. To determine the working state of the nanoBTS, an indicator status LED is located on the left side of the five ports region. After the nanoBTS is connected to the power suplly with the ethernet cable, it will change its color and blink speed according to the state it is in. The states can be seen in the Table given in \ref{tbl:LEDStatus} \citep{installnanoBTS}. One of the key limitations of gathering more technical data and the critical aspect of this description lies in the fact, that nanoBTS is not an open source hardware platform and ip.access does not offer more details on their product. The lack of systematic hardware analysis can be seen as a major drawback of working with the nanoBTS hardware. However, the given technical data are sufficient for reproducing and conducting the RRLP tests described in this thesis. \begin{table}[h!t!p!] \begin{center} \caption{Indicator LED status on the nanoBTS} \begin{tabular}{|c||p{3cm}|p{5cm}|c|c|} \hline % \T and \B would not work if it is placed here (needs to go inside cell) State&Color \& Pattern&When&Precedence \\ \hline\hline Self-test failure&Red - Steady&In boot or application code when a power on self-test fails&1 (High) \\ \hline Unspecified failure&Red - Steady &On software fatal errors&2 \\ \hline No ethernet&Orange - Slow flash &Ethernet disconnected&3 \\ \hline Factory reset&Red - Fast blink &Dongle detected at start up and the factory defaults have been applied&4 \\ \hline Not configured&Alternating Red/Green - Fast flash &The unit has not been configured&5 \\ \hline Downloading code&Orange - Fast flash &Code download procedure is in progress&6 \\ \hline Establishing XML&Orange - Slow blink &A management link has not yet been established but is needed for the TRX to become operational. Specifically: for a master a Primary OML or Secondary OML is not yet established; for a slave an IML to its master or a Secondary OML is not yet established.&7 \\ \hline Self-test &Orange - Steady & From power on until end of backhaul powe on self-test&8 \\ \hline NWL-test &Green - Fast flash & OML established, NWL test in progress&9 \\ \hline OCXO Calibration &Alternating Green/Orange - Slow blink & The unit is in the fast calibrating state [SYNC]&10 \\ \hline Not transmitting &Green - Slow flash & The radio carrier is not being transmitted &11 \\ \hline Operational &Green - Steady & Default condition if none of the above apply&12 (Low) \\ \hline \end{tabular} \end{center} \label{tbl:LEDStatus} \end{table} \newpage \section{GPS Receiver - NL-402U} \label{sec:gpsDevice} In the next paragraphs the used GPS device will be described. In contrast to the earlier described hardware, nanoBTS, which the University of Freiburg already owned, the budget for the GPS receiver was limited and the Navilock NL-402U was bought considering only the single criterion, the price. The Navilock NL-402U GPS receiver is based on the u-blox UBX-G5000 single chipset and is a one chip solution \citep{ubxDatasheet}. It can be seen on Figure \ref{img:gpsNavilock} with its passive ceramic patch antenna. 1575,42 MHz is the operating frequency of the receiver which corresponds to the L1 civil frequencies and Coarse/Acquisition (C/A) code. The GPS chipset consists of 50 channels, each channel tracks the transmission from a single satellite \citep{understandGPS}. It is important to note, the number of channels inside a GPS receiver interrelates with the amount of time required to get the first fix. Receiver tracking sensitivity is -160 dBm ($10^{-16}$ mW). The GPS receiver communicates with the computer ovet the USB port. Although the GPS receiver uses an USB interface, on the computer it emulates 2 UART ports, which are serial communication interfaces. \begin{figure}[ht!] \centering \includegraphics[scale=0.12]{img/gpsNavlock.jpg} \caption[]{Navilock NL-402U, opened up with the antenna and USB cable} \label{img:gpsNavilock} \end{figure} \section{Cable configuration} \label{sec:hardwareConfig} In the next section, the author will focus on properly connecting the hardware. At least 4 ethernet cables with RJ45 connectors, on both sides, were required and one switch or hub connected to the internet. One should take notice of the cabling between the nanoBTS and the ethernet switch or hub, since wrong cabling with the power supply unit (PSU) could damage one of the devices. In Figure \ref{img:connectionDiagram}, the junction points are label according to the used configuration setting. The ethernet cables between the switch/hub, PSU and nanoBTS should not be longer than 100 m \citep{installnanoBTS}. \begin{figure}[ht!] \centering \includegraphics[scale=0.5]{img/hardwareConnection} \caption[]{Cable connections, showing interconnection diagram} \label{img:connectionDiagram} \end{figure} \chapter{Testing} Test if it can be tricked out by the software Dennis mentioned (protect my privacy)! \chapter{Implementation} \chapter{Future work} \chapter{Summary} \chapter*{Dictionary of acronyms} \begin{itemize} \item \emph{ARFCN} - Absolute Radio Frequency Channel Number - The channel number specifies the physical frequency channel used for transmission and reception of radio waves inside of an BTS covered area. \item \emph{BTS} - Base Transceiver Station - \item \emph{DC} - Direct Current \item \emph{GNSS} - Global Navigation Satellite System - A satellite navigation system that allows a specialized receive to determine its location on Earth. \item \emph{LED} - Light Emitting Diode - A diode that emitts light. \item \emph{IP Address} - \todo{Write what an IP address is}. \item \emph{PCB} - Printed Circuit Board - The board where electronic components are soldered onto and wired through conductive tracks. \item \emph{RRLP} - Radio Resource Location Protocol - The employed protocol in GSM, UMTS and other wireless networks for providing and exchange of geolocation information. \item \emph{SMA} - SubMiniature version A - SMA is a connector used for interconnecting coaxial cables or PCB electronics that work in the frequency range between 0-18 GHz. \item \emph{TIB} - Time Interface Bus - The TIB is used to provide the synchronization of the clock, frequency and frame number between the nanoBTS when operating in a single 2-4 BTS configuration. \item \emph{TRX} - \item \emph{UART} - Universal Asynchronous Receiver Transmitter - A serial communication interface used by computers or other peripheral devices to communicate. \item \emph{UMTS} - Universal Mobile Telecommunications System - Third generation mobile network based on the GSM standards. \end{itemize}