*Another great post from Berthold Horn – a rather nifty trick … potentially you don’t even need a data connection to query a database in order to get an approximate bearing on your tower direction (that’s how OpenSignalMaps android app works). From the antenna ID (BID) on CDMA then you can get an approximate bearing. Berthold explains in detail:*

Android provides a lot of useful information to an app, such as the “unique ID” (analogous to a numeric internet IP address) for the base station that the phone is currently connected to. But there are some useful things that it does not offer up. This includes which frequency band one is connected on (e.g. “cellular,” around 850 MHz, versus “PCS,” around 1900 MHz) and the direction in which the cell tower lies.

Curiously, one can get an approximate bearing using just the base station code (BaseID in the case of CDMA) — expressed in hexadecimal. This is because carriers use a simple numbering scheme for the three “sector” antennas on a cell phone tower. Each of these sectors cover azimuthal directions of roughly 120 degrees, and the corresponding “unique ID”s are assigned related numbers, typically in clockwise order, starting with the antenna pointing closest to North. Applications like OpenSignalMaps can provide you with the complete “unique ID” (in the case of CDMA this would be SystemID, NetID, and BaseID).

BaseIDs are numbers in the range 0 – 65536 (16 bits) and so can be viewed as four-digit hexadecimal numbers in the range 0x0000 to 0xFFFF. With some carriers (e.g. U.S. Cellular), the least significant (right-most) hexadecimal digit will be either 1, 2 or 3, — with 1 used for the sector antenna pointing closest to North. You can, of course, obtain this “direction code” just by dividing the BaseID by 16 and keeping the remainder.

With some other carriers (e.g. Verizon Wireless and Sprint/Nextel), the “direction code” is instead the second hexadecimal digit from the left (In this case the BaseIDs of related sector antennas will differ by 256 rather than by 1). You can obtain the “direction code” in this case by first dividing the BaseID by 256, and then extracting the right-most hexadecimal digit of the result as above.

If you are connected to a base station whose direction code is 1, then you are probably somewhere North of the tower, and so, from your point of view, the tower is somewhere to the South. Similarly, if the digit is 2, then the tower is probably roughly NorthWest, and if the digit is 3, then the tower is probably roughly NorthEast.

As an example, suppose that you are connected to U.S. Celular 1317:15:25795 (SystemID=1317, NetID=15, BaseID=25795) then the BaseID is 0X64C3 in hexadecimal and the direction code (the right-most digit) is ‘3’, so the tower is roughly NorthEast of you. If instead you are connected to Verizon Wireless base station with unique ID 28:5:8697 then the BaseID is 0x21F9 in hexadecimal and the relevant digit (the second one) is ‘1’, so the tower is roughly South of you.

Keep in mind that these directions are only approximate — for a start, each sector antenna covers about 120 degrees of azimuthal directions.

The above shows what can be learnt in a static situation. Somewhat more information can be obtained by driving around a bit. If you drive past a cell tower, you are likely to be handed over from one sector to another. If the sequence of “direction codes” indicates clockwise motion (from 1 to 2, from 2 to 3, or from 3 to 1), then the tower was on your right as you passed it. If instead it indicated anti-clockwise motion (from 3 to 2, from 2 to 1, or from 1 to 3), then the tower was on your left.

As an example, consider the illustration which shows a Verizon Wireless tower with three sector antennas with BaseIDs 12570 (pointing roughly North), 12826 (roughly SouthEast) and 13082 (roughly SouthWest). Driving along RT 302 from East to West will likely lead to a handoff from 12826 (0X321A) to 13082 (0x331A). The “direction code” transition 2 -> 3 indicates that the tower is to the right of the direction of travel. Conversely, travelling South on RT 5 would likely lead to a handoff from 12570 (0x311A) to 13082 (0x331A). The transition 1 -> 3 indicates that the tower was to the left of the road travelled.

how do you know what the locator is when the bid is a 3 digit number like 938 (x3AA) where the second digit is a letter. I can easily find the bid and know where most of the towers are, but need to know which one to point my antenna.

in India we have 2G cellID like 56821(DDF5), 63323(F75B), how do we know the locator.

thanks

Pingback: An armed robber’s Supreme Court case could affect all Americans’ digital privacy for decades to come | Complete World News

Pingback: Your cell phone knows where you are at all times — and a Supreme Court case could keep police from knowing, too | Donald J. Trump No. 45

Pingback: Your cell phone knows where you are at all times — and a Supreme Court case could keep police from knowing, too | Brief News