Monitoring cell towers

One of my favorite books is Ilya Grigorik’s High Performance Browser Network. In addition to many helpful tips, the book contains many fascinating stories from real life.

“46% of battery consumption for transferring 0.2% of information from the total number of bytes.

Whenever a Pandora user plays a song, the music file is transmitted by the app from the network in one go, which is the correct behavior: copy as much data as possible, and then you can turn off the radio for a long time.

However, after the music is streamed, the app will periodically analyze the audience, sending intermittent analytic requests every 60 seconds. Pure effect? Analytics queries accounted for 0.2% of the total bytes transferred and 46% of the total application power consumption! “

– Ilya Grigorik, High Performance Browser Networking

Ilya is in no hurry to state his point of view in detail. To educate readers on cell phone battery life, he devotes an entire chapter to detailed descriptions of GSM, UMTS and LTE radio modems. It is surprising to realize that problems at one level can find their roots at several levels below.

Drive from Sunnyvale to downtown Mountain View.

By examining the entire stack, High Performance Browser Networking does more than provide facts. He defends philosophy.

Good developers know how things work.
Great developers know why everything works.
– Steve Souders, High Performance Browser Networking, Foreword

The old idea is new again

When I read this in 2013, I thought it would be cool to do my own research and visualize the radio jumping from one cell to another while the phone is traveling.

This idea could not be implemented with my 2013 iOS phone as it did not provide the data I needed, but my current Pixel does not have this problem. LocationManager can provide GPS location (latitude, longitude) every second. Meanwhile, TelephonyManager gives out cellID = (mmc, mcc, lac, cid), which is the radio currently on.

CellID Database [1] lets you know (latitude, longitude) of each CellID. All that remains is to draw the route (in red) and for each second a color-coded cell connection.

The above result shows a 7-minute trip, 3.7 km long, with an LTE-enabled phone (also known as UE for user equipment). Five towers and nine cells (also known as eNB for Evolved NodeB) were discovered along the way.

Analysis

Combining the map, Google StreetView, and Wikipedia made a lot of things sorted out.

Multiple cell IDs are mapped to the same latitude and longitude coordinates of the eNB. This is because the antennas installed on the eNB do not have 360 ° coverage. The angle and range of each antenna divides the space into pizza-shaped cells.
The antennas are strategically located and oriented. On the map to the right, the towers are located along Highway 85, with the antennas pointing parallel to it. Some antennas are extremely narrow and long range. Possibly to adapt to high density during traffic jams.
eNBs have a much higher density than I thought. Googling about the “range of a cell phone tower”, I got a figure of 45 miles. This may be true in rural areas, but in a city, population density and eNB density are related. That means there were towers every mile in Sunnyvale.
The sites are not necessarily shared between operators. The CellID (CellMapper) database is so accurate that I was able to go into Google StreetView and see the actual towers. I expected to see huge monoliths with large antenna arrays for each operator, but in most cases it looked like there was only one antenna.
ENB antennas can be found on many things besides masts[2]… Some of these places are churches[3], electrical supports[4] and even commercial buildings.
Once you get used to looking for them, these once invisible cell towers become impossible to ignore.
The LTE radio UE is capable of hopping from cells to and fro. Several times within a minute seems to be a common occurrence in the city to mitigate the obstacle to construction.
The pairing of towers (aka camping) looks deterministic. In the two previous maps, the use of the tower in the general part of the trip looks the same. The selection is made according to the state machine configured by each cell via SIB broadcasts. The state transition occurs based on a variety of factors, such as the signal strength threshold of the previous cell or the signal strength threshold of the next cell.
During a “long” (10 miles) drive, I saw that the LAC (Location Area Code) part of the CellID remained the same. According to the LTE specifications, cell towers do not need to handoff the UE while the phone remains in the LAC. The phone begins to position itself on the next tower, remaining in RCC_IDLE mode without data transmission. This not only saves battery, it also means that carriers don’t really know where the phone is as long as it stays in the same LAC (although the accuracy of cell-based geolocation has been disputed since the days of GSM [5]).
Each tower seems to use three 120 ° antennas. It’s pretty obvious when you’re circling around one.

Bypassing the tower shows a 120 ° radius of each cell.

Deeper down the rabbit hole

Drawing maps was fun. This made me want to know more about this area. I found that it was not only deep but also quite wide. Even compiling a minimal table to summarize it required a significant amount of research on abbreviations.

Esoteric world

Since 1998 with 2G (GSM), all technology stacks have been standardized and documented by 3GPP. These specifications cover over a hundred documents. Understanding them seems to be the achievement of a lifetime.

No open source LTE stack to learn from[6]and even if it were, cell phone band emissions are tightly regulated to ensure that frequencies are not contaminated by buggy modems.

The few books in this area are very expensive. My “genuine window of interest” was fueled by these three.

An introduction to LTE by Christopher Cox.
LTE Advanced Sasana Ahmadi.
Long Term Evolution in Bullets, 2nd Edition by Chris Johnson.

Finally, there are apps that let you look under the hood to show the status of the modem and messages. I decided not to use them as they are not only expensive but also require rooting the phone.