Timing Advance and Android smartphones

Timing Advance (TA), when available, can be used to confine the possible location of a cellular base station (BS) antenna to a thin annular band with center at the user equipment ( UE).
The Timing Advance at two different user equipment locations can narrow down the possible base station locations to a pair of quadrilaterals (intersections of two annuli centered on the two UE locations). Timing Advance from more than two UE locations can narrow down the possibillities even further:

Timing Advance in GSM and LTE

GSM and LTE use time-division multiple access (TDMA) as part of their way of sharing a radio frequency band between multiple user. This is different from CDMA, which uses code-division multiple access (but then, CDMA basestations are supposed to broadcast their geographical location anyway).

In GSM and LTE, each active user is assigned a particular time slot during which their transmission should arrive at the base station (BS) in order not to interfere with messages from other users. Because of the finite speed of electromagnetic propagation, the message has to be sent fom the user equipment (UE) some time earlier. Furthermore, user equipment does not have a perfectly accurate clock, and is not synchronized (unlike CDMA). As a result, timing has to be based on the arrival times of transmissions from the base station. Specifically, user equipment sends its message at a given (negative) offset called the Timing Advance, from the start of a message slot as defined by signals arriving from the base station. Signals from the BS also take some time to traverse the distance between BS and UE. So overall, the timing advance is the round-trip time from BS to UE and back to BS (hence twice the one-way propagation time).

Initially, the BS determines a suitable value for TA based on brief communication with the UE over a separate random access channel (RACH) (the UE has to have a way of establishing a connection with the BS before it knows the TA). The BS sends this initial value of TA to the UE for use in the transmission of data. Since TA depends on the distance, it will change if the UE moves. During data communication, the BS continuously monitors arrival time of message from the UE and sends commands back to it to make small adjustments to the TA in order so as to continue avoiding overlap with messages from other UEs.

Because of the potential motion of the UE, the current value of TA is considered valid only for a short length of time as determined by a timer set by the BS. If there is no further data communication before that time elapses, then a new TA has to be negotiated using the RACH. This means that the radio in the UE will have a valid TA only (i) when there is an active data connection; and (ii) for a short time after, as limited by the TimingAdvance Timer.

Timing Advance in practice is quantized, and limited in magnitude, so as to permit it to be represented by a number with a fixed number of bits in communications between the BS and the UE.

Timing Advance in GSM

In GSM, the units of time are bit periods of 3.69 µseconds, correponding to 1107 meter in round-trip distance, or 554 meter one way (c = 299,792.458 m/sec). A change of 1 in TA corresponds to a change in distance of 554 meters. Because of this coarse quantization, the Timing Advance is of rather limited use in locating a GSM base station.

To allow transmission in a fixed size packet, there is an upper limit on the integer representing TA. In the case of GSM, this is a 6 bit quantity, ranging from 0 to 63. So the maximum (one-way) distance is about 35 km (there is a mechanism to provide for extended range, where TA can be as large as 219, corresponding to a maximum range of about 121 km, but this is not often used because it reduces capacity since the size of time slots has to be doubled).

Timing Advance in LTE

Time slots are shorter in LTE than in GSM. Correspondingly, the units of time used for specifying the Timing Advance are also smaller, namely 0.52 µseconds (16 * 1/(15000*2048) seconds) according to the 3GPP documentation 3GPP 36.213 ). So a change of 1 in TA supposedly corresponds to a 156.14 meters in round-trip distance, or 78.07 meter one way (d = c * Ta / 2, where c = 299,792.458 m/sec, Ta = 16 * Ts, and Ts = 1/(15000*2048)).

Again, there is an upper limit on possible values. In LTE, the initial TA sent from the BS to the UE is an 11 bit quantity, restricted to a maximum value of 1282 (incremental updates sent from the BS to the UE are signed quantities packed into six bits). This provides for a maximum (one-way) distance of just over 100 km.

Timing Advance on Android

On Android phones it is possible to recover a “TimingAdvance” from information about LTE connections. But the integer obtained this way appears to be about half of what the 3GDPP (e.g. 3GPP 36.213). specification says. Further evidence of a problem is that TAs larger than about 600 are not found in practice, while the specification says TA values can range up to 1282.

It's not clear whether this is a misfeature of

In any case, the result is that the spatial quantization is roughly twice the expected 78 meter (too bad!). Actually, least squares fitting of thousands of measurements, where the location of base station and user equipment are well known, shows that even this is not correct!

Calibration of Distance corresponding to Timing Advance

Due to the quantization of TA, estimation of the proportionality factor between Android ‘TimingAdvance’ and distance is best done using connections with large separations between UE and BS. This is only possible when there are no nearby base stations that the user equipment can connect to. A sparsely populated area, with few base stations near the UE, and rugged terrain that blocks signals from some base stations is ideal. Of course, one also needs to obtain the locations of the BS antennas connected to, based on their identification (MCC:MNC LAC:CI in the case of LTE). The following show lines connecting UE to BS in a few sample long distance experiments.
When aiming for the highest accuracy in these results, the ellipsoidal nature of earth needs to be taken into account when calculating distances from latitude and longitude (Note that Google Maps uses a spherical approximation).

The following shows superposition of circles with radius based on such least squares fitting. This confirms that the unit of mTimingAdvance is not 78 meters.

Timing Advance and CellTracker

The latest versions of the CellTracker app for Android shows TA in the third line of text on screen, when available. This will only happen when:

Note that this typically will not happen if there is an active WiFi connection because data will preferentially go over WiFi. So you may want to turn off WiFi while exploring. Of course, in that case, data charges will accrue when updating the map since that will be done over the cellular system. To keep data transmission rates low, uncheck “Satellite View” in the ‘More’ menu.

Superimposing Circles in CellTracker

The latest version of CellTracker also has a new menu item called “Timing Advance” . Checking this causes it to superimpose circles on the map, centered on the current location and with radius determined by the current Timing Advance. To remove this overlay, simply uncheck the “Timing Advance” menu item again.

Touching the screen inside one of the circles will bring up information including the BS ID (which, for LTE, is MCC:MNC LAC:CI) and the TA for that circle. (The circles are overlaid in decreasing order of TA, so that a smaller circle is higher in “Z-order” than a larger one).

The circles are color coded based on the CI value of the BS ID. Since base station antennas typically are part of a group covering different sectors (often 3 6, or 9 sectors --- see also Cellular ID Numerology) an attempt is made to color circles belonging to related antennas with the same color. This is based on the rule that the high order 24 bits of CI are the eNodeB number and the last 8 bits are the sector number (sadly, some carriers do not seem to stick to this rule consistently).

The overlayed circles can be used in various ways. One is to travel around an area to try and locate places where TA is small, perhaps 0. You are then probably within roughly 156 meter of the BS. Another is to travel some distance, preferrable not simply in a straight line, and watch for circles overlapping more and more in the area where the base station is located. See examples above.

Timing Advance in the Cell Data File

Finally, CellTracker can also write the Timing Advance information in the CSV file (if that is enabled using “Record Cell Data” from the menu). TA appears near the end of each line, when available. This can be used off-line for more detailed analysis. Note that the initial value of TA negotiated between BS and UE tends to be more accurate than later values (since the BS may not send updates to the UE until there is a significant discrepancy). That is, it is best to use the geographical location and TA for places where (i) TA has just changed; and/or (ii) LAC:CI changed. This is particularly important if you are in a vehicle that is moving rapidly.

If you travel in a straight line, and the BS is not on your path, then there may be a two-way ambiguity (to the left or to the right of the road you travelled). Such ambiguities can often be resolved by looking in both places on Google Maps. In addition, the ID of the BS (namely MCC, MNC, LAC and CI) can be used to interrogate Google's database of base stations using simple JSON queries (see the Google Maps Geolocation API for details). Note that the location reported back this way is not the location of the base station (otherwise there would be no point to all of this here!). Instead it is the centroid of locations from which cellphones reported connecting to a particular BS (which is what is most useful for location dependent advertizing). Also reported back is the “accuracy” radius (RMS spread of those contacts relative to their centroid), which gives some idea of how close the centroid might be to the actual location of the BS.

Timing Advance in the City:

Timing Advance is not quite as useful in locating base stations in the city.
There are a number of reasons:
Click here to go back to main article on cellular repeaters.

Berthold K.P. Horn, bkph@ai.mit.edu