Comment by tbrownaw
5 months ago
> SIMs don't know their 'physical location' and triangulation of signals in these bands in the urban environment is non trivial.
IIRC modern cell towers use cool tricks to send stuff for a particular phone to only where that phone is so they can send more total data. Can this not be turned into a precomputed map by taking a test phone everywhere and seeing what settings the tower picks to talk to it?
Sure, so now you are at the front door of a quad of four 300 apartment highrises. What is your next move?
A portable spectrum analyzer. A high concentration of phones like this would light up the spectrum when used with a directional wand.
Portable spectrum analyzers are regularly used to identify interference in urban environments. Even a damaged cable coax line on the street can interfere with cellular signals.
With 5g and beamforming and mimo and decent bts software(Ericsson or Hua) you can pinpoint the given phone very accurately (within 20m in urban settings) - without any triangulation, as you know the cell tower sector :) Guess what: you can also measure the azimuth within 0.1 degree, so you could have SOME data at where to look.
FYI: That was available back in 2022 as standard. Now it could be even better. :P
I've already narrowed it down to four buildings for you, so we can consider that all of those methods worked. What is your next move?
I'm not saying it can't be done, clearly it can be done otherwise this article wouldn't exist. But it is not quite as easy as pointing a magic wand (aka an antenna) at a highrise and saying '14th floor, apartment on the North-West corner', though that would obviously make for good cinema.
4 replies →
If even a fraction of those antennas are transmitting at any given time, which you can arrange simply by having the network poll them, all you need to do is wander up and down the hall with a TinySA or something similar. It will be almost ridiculously obvious where all the RF racket is coming from.
Even before doing that, a handheld Yagi in the parking lot will easily narrow it down to a couple of floors in a specific quadrant of the building.
Kill the power and see what happens
Yeah modern cellular and WiFi modems use multiple antenna and beam forming to allow multiple same frequency connections to occur, without interference.
But when people think of beam forming as “pointing a beam at a phone” that’s kinda thinking of the problem backwards. Modems beam form by looking at the various bits of signal delay coming down multiple antenna, and computing a transform function that will effectively result in the signal it sends mimicking those delays and thus forming a beam pointing in the opposite direction of the incoming signal.
But the modem has no idea what physical direction that beam is pointing in, and doesn’t care. It just know how to analyse an incoming signal to effectively mask the inputs from different antenna in order to extract a very weak signal, by taking advantage of constructive interference between a signal received on multiple antenna, and in turn invert that function to create an equivalently strong constructive interference pattern at the source of the signal when replying.
Most important the modem has no idea what the actual signal path was, it could have bounced of several buildings, been channeled by some random bit of metal acting as a wave guide, or any other manner of funky interference that literally any physical object creates. All it knows is that is a viable signal path must exist (because it received something), and it can compute a function to send a return signal back down the same path. But it’s very hard to turn that abstract signal path function the modem understands, into an actual physical direction. Not without doing a load of extra calibration and sampling work to understand exactly how all the antenna the modem uses interact with each other, which nobody does, because that information won’t improve the cell towers performance.
Indeed. The output of the beamforming algorithm is something like four (complex) numbers that you use to tell which of your radios to shout the loudest (and with what delay), which magically makes the signal become the strongest possible at wherever the device was last heard. And at an infinite amount of other places.
If you have MIMO, i.e., multiple signal streams, it will be more like an 4x4 matrix instead (how loud should radio X shout signal Y), and you'll not only optimize for “signal 1 should be the loudest possible at receiver 1” but _also_ “signal 1 should be at the _most quiet_ possible at receiver 2”.
The fact that cheap consumer devices are able to do this fairly reliably (one could even say it's pedestrian) at near-gigabit speeds says something about how insane our level of technology is.
I think it is the same kind of magic thinking about 5G that causes people to believe that those base stations somehow mysteriously know to within a couple of feet where a handset is located. That's just not how it works, at all. At best you could say that the interference pattern caused by a particular engagement of the radios has a local peak that - hopefully - coincides with the location of a particular handset. But there are countless such interference patterns and no single one will stand out to say 'that's the one', besides the impossibility of actually calculating the patterns because of the lack of knowledge about the environment.
It's also amusing to see lots of people state with great authority how simple it is to track down a transmitter, when in fact they've probably never so much as participated in a fox hunt, which can get quite interesting at higher frequencies and when not in open field.
Thank you for this. I feel like I’ve finally gone from the 0% understanding of how beamforming works, where I’ve been for a decade, to “some basic appreciation for the concept”!
Yes, but they don't know physical location, just a complex number matrix of how each receiver perceives each transmitter, which is inverted to determine how to transmit to optimize that receiver's reception. They don't first determine location and then optimise based on location - they optimise based directly on how the radio waves propagate.