In GSM and LTE, each active user is assigned a particular time slot during which their transmission should arrive at the base station (BS) in order not to interfere with messages from other users. Because of the finite speed of electromagnetic propagation, the message has to be sent fom the user equipment (UE) some time earlier. Furthermore, user equipment does not have a perfectly accurate clock, and is not synchronized (unlike CDMA). As a result, timing has to be based on the arrival times of transmissions from the base station. Specifically, user equipment sends its message at a given (negative) offset called the Timing Advance, from the start of a message slot as defined by signals arriving from the base station. Signals from the BS also take some time to traverse the distance between BS and UE. So overall, the timing advance is the round-trip time from BS to UE and back to BS (hence twice the one-way propagation time).
Initially, the BS determines a suitable value for TA based on brief communication with the UE over a separate random access channel (RACH) (the UE has to have a way of establishing a connection with the BS before it knows the TA). The BS sends this initial value of TA to the UE for use in the transmission of data. Since TA depends on the distance, it will change if the UE moves. During data communication, the BS continuously monitors arrival time of message from the UE and sends commands back to it to make small adjustments to the TA in order so as to continue avoiding overlap with messages from other UEs.
Because of the potential motion of the UE, the current value of TA is considered valid only for a short length of time as determined by a timer set by the BS. If there is no further data communication before that time elapses, then a new TA has to be negotiated using the RACH. This means that the radio in the UE will have a valid TA only (i) when there is an active data connection; and (ii) for a short time after, as limited by the TimingAdvance Timer.
Timing Advance in practice is quantized, and limited in magnitude, so as to permit it to be represented by a number with a fixed number of bits in communications between the BS and the UE.
To allow transmission in a fixed size packet, there is an upper limit on the integer representing TA. In the case of GSM, this is a 6 bit quantity, ranging from 0 to 63. So the maximum (one-way) distance is about 35 km (there is a mechanism to provide for extended range, where TA can be as large as 219, corresponding to a maximum range of about 121 km, but this is not often used because it reduces capacity since the size of time slots has to be doubled).
Again, there is an upper limit on possible values. In LTE, the initial TA sent from the BS to the UE is an 11 bit quantity, restricted to a maximum value of 1282 (incremental updates sent from the BS to the UE are signed quantities packed into six bits). This provides for a maximum (one-way) distance of just over 100 km.
It's not clear whether this is a misfeature of
(ii) the radio interface layer (RIL) code;
(iii) the Qualcomm SnapDragon code;
(iv) 3GPP documentation;
(v) misinterpretation of the Timing Advance as the time of one-way travel, or ...
The following shows superposition of circles with radius based on such least squares fitting. This confirms that the unit of mTimingAdvance is not 78 meters.
(ii) there is data activity on the LTE connection.
Note that this typically will not happen if there is an active WiFi connection because data will preferentially go over WiFi. So you may want to turn off WiFi while exploring. Of course, in that case, data charges will accrue when updating the map since that will be done over the cellular system. To keep data transmission rates low, uncheck “Satellite View” in the ‘More’ menu.
Touching the screen inside one of the circles will bring up information including the BS ID (which, for LTE, is MCC:MNC LAC:CI) and the TA for that circle. (The circles are overlaid in decreasing order of TA, so that a smaller circle is higher in “Z-order” than a larger one).
The circles are color coded based on the CI value of the BS ID. Since base station antennas typically are part of a group covering different sectors (often 3 6, or 9 sectors --- see also Cellular ID Numerology) an attempt is made to color circles belonging to related antennas with the same color. This is based on the rule that the high order 24 bits of CI are the eNodeB number and the last 8 bits are the sector number (sadly, some carriers do not seem to stick to this rule consistently).
The overlayed circles can be used in various ways. One is to travel around an area to try and locate places where TA is small, perhaps 0. You are then probably within roughly 156 meter of the BS. Another is to travel some distance, preferrable not simply in a straight line, and watch for circles overlapping more and more in the area where the base station is located. See examples above.
If you travel in a straight line, and the BS is not on your path, then there may be a two-way ambiguity (to the left or to the right of the road you travelled). Such ambiguities can often be resolved by looking in both places on Google Maps. In addition, the ID of the BS (namely MCC, MNC, LAC and CI) can be used to interrogate Google's database of base stations using simple JSON queries (see the Google Maps Geolocation API for details). Note that the location reported back this way is not the location of the base station (otherwise there would be no point to all of this here!). Instead it is the centroid of locations from which cellphones reported connecting to a particular BS (which is what is most useful for location dependent advertizing). Also reported back is the “accuracy” radius (RMS spread of those contacts relative to their centroid), which gives some idea of how close the centroid might be to the actual location of the BS.
(*) Base station sector antennas have a wide spread horizontally (typically 120° sectors) but narrow vertically (maybe 5° or 10°). So when coming close to an antenna that is mounted high up, you may be “under the beam” and get only a weak signal, and so your phone may connect to another BS, just when you come close to the building that the antennas of interest are mounted on.
(*) In the city, in order to serve demand for many connections and high throughput, there are many more BS antennas per unit area than outside the city. As a result, there will be a lot of confusing “hand overs” from one BS to another as one moves around.
(*) Each BS serves only a small area in built-up areas. The 156 meter distance quantization of the Timing Advance (TA) is a larger fraction of the typical inter-antenna spacing than it is outside the city where antennas are spaced far apart.
(*) BS antennas in cities tend to be camouflaged for aesthetic reasons and so may be hard to locate visually from the ground (or using Google Maps Street View). Outside cities, antennas serve larger areas and tend to be mounted on towers instead of stuck to the sides of buildings and painted to match the color and texture of the building.
(*) In rare cases, when the connection is not line-of-sight (LOS), reflection off some building will cause TA to be larger than it would be had a straight line connection between the UE to the BS been possible (Such reflections seem to happen only for short distances, or when there are repeaters, since the reflected signal is much weaker than the direct signal).