Once the network configuration is done, we can observe all the phones that are registered to our network in the “tmsis” section in OpenBTS.

 

So, how can we locate a cellular phone which is registered to our network?

For that purpose we can use the GSM parameter called RXLEV  – Received Signal Level.

RXLEV is a number from 0 to 63 that corresponds to a dBm value range.

0 represents the weakest signal and 63 the strongest:

​

 

 

 

 

 

 

 

 

RSSI (Received Signal Strength Indicator) below -110 dBm are generally considered unreadable in GSM.

RSSI in the area of -50 dBm are rarely seen and would indicate that the cellular phone is right next to the BTS.

We can monitor each cellphone’s RXLEV in the “chans” section in OpenBTS:

​

​

​

​

 

All there is left to do – locate the cellphone.

While searching for the target cellular phone, we will need to keep it active (performing communications with the network) in order to determine if we are getting closer/further to it.

​

Most of the time cellular phones are in idle mode- meaning no communications with their network at all, until something awakens them, such as a phone call, SMS, internet activity, etc.

For that reason, we will use a “master” cellular phone, and perform a phone call to the target phone in order to keep it active.

The target phone doesn’t have to answer the call- the call itself allows us to monitor the RXLEV of the target phone.

​

Now we monitor the RXLEV parameter, and searching for the target phone while keeping track of RXLEV, until it is strong- then we know that the cellular phone is very close.

​

To sum up, the whole process is:

​