Timing Advance, Distance to Cell, Historical Phone Location estimates, Expert Analysis

Introduction

My blog on the SWGDE process for mapping phone locations had quite a few comments so I thought I would dig a bit deeper with this blog and get into the weeds on timing advance in LTE, describe its function and identify its faults for geolocation in court cases. I performed drive testing with a focus on timing advance and compared the measured values to the values in the LTE specification.

A Bit of History

First a slight bit of history, the thing that differentiates wireless from wireline is the obvious fact that one transmits data through a wire and the other through the air. This one difference creates a major way in which both these approaches must be addressed technically. A wire has minimal if any effect from the environment as it is shielded and safe from external factors. The connections between equipment are usually where issues arise but these can be managed relatively easily through proper installation, maintenance procedures and the use of quality components.

Wireless, on the other hand, must deal with many unknowns and a constantly changing environment that affects the communications path. Interference from within and external to the cellular system has affected cellular communications since it began with analog technology. In those days it was called co-channel, adjacent channel and multipath interference. The technology then moved into TDMA and GSM, both digital time division multiple access technologies which allowed multiple conversations to exist on a single frequency by digitizing the signal and allocating specific time slots for each user. It still was affected by co-channel, adjacent channel and multipath interference but additional types arose including timing advance errors and inter-symbol interference due to poor synchronization.

CDMA uses a spread spectrum technology where all users are on the same wideband frequency but each conversation is identified by a code. The classic example is in a room full of people speaking different languages but you only understand English. Everyone is speaking a different language in the room except one person from across the room speaks to you in English. His volume is just high enough to where you understand what he is saying. In CDMA, each conversation has a code but you only communicate with the other party with the same code. Assuming the other conversations aren’t creating too much noise (interference) then you should be able to communicate.

Interference in CDMA arises when the noise created by the system or external to the system gets too high such that it affects your ability to communicate. Signal to noise ratio (SNR or SINR) is a key parameter in maintaining a quality CDMA system. Low SNR occurs when the signal is poor and/or when the noise is high. Noise can come from other users in the network, strong signals transmitted from the base stations and external factors.

TDMA, GSM and CDMA introduced one similar way of handling multipath.  Signals from the mobile will be received at the base station at different times due to multipath. If the UE sends the word “Hello” then that word is broadcast though the airwaves along many different paths. It is not a direct line of site system like microwave. Some Hello’s arrive later than others like hearing multiple echoes. The base station must deal with this. TDMA and GSM require the signal to arrive in a specific time slot so to handle multiple delayed signals it adds a guard band of time around that time slot which lets signals arrive at different times. It then equalizes these signals using various techniques.

CDMA does not require the signal to arrive within a specified time slot since the signal has a code thus the base station can identify by the code which user it’s coming from then it can piece the digital information back together. It does have what is called a search window which is the time range it allows to receive the multipath signals. Thus, it is similar in how it handles multipath.

LTE combines spread spectrum with orthogonality along with TDMA. It uses a broad frequency channel or multiple frequency channels and assigns sub carrier frequencies to the communication channel that are orthogonal, meaning they are frequencies that do not interfere with each other. The subcarriers have a TDMA structure where specific channels and data are assigned time slots. It also incorporated frequency hopping where the system selects which subcarriers have better signal than the others on a dynamically changing basis. This technique reduces the effect of Rayleigh fading on any one subcarrier.

In LTE we see interference as well from multipath, system noise and external noise. Interference has been with us since analog cellular and will continue to be with us as we move into future technologies.

Interference, timing and poor signal to noise are the main culprits in being able to obtain accurate phone location estimates. They affect timing advance and round-trip time calculations. These are addressed in the following paragraphs.

Inter-Symbol Interference

Inter-Symbol Interference (ISI) occurs when multiple symbols in a digital communication system overlap, causing distortion and errors in signal detection. This degrades the ability for the system to understand the information being sent over the air. Several situations in LTE can cause high levels of ISI.

Cell Edge

LTE is typically implemented in a wireless network as single reuse meaning the same frequencies are used by all the cells in the network. This implementation provides the maximum capacity but interference must be managed. As the User Equipment (UE) gets further away from its serving cell and closer to a neighbor cell the Signal to Noise Ratio (SNR) degrades because the serving signal reduces and the noise from the neighbor increases. There are many schemes that can and have been implemented to reduce this with varying degrees of success. Any scheme implemented will reduce the capacity gains of the technology so this is a balance between network quality and capacity and is implemented by the system performance teams at the wireless network providers.

Multipath

In urban areas, signals bounce off buildings, causing multipath interference. Signals that arrive at the base station are received at different times. The network combines these signals that fall within an acceptable time window. In many cases the signals fall outside the acceptable time window thus interfering with other users. Other users’ signals may fall outside their time window and interfere with our user. When interfering signals fall inside our time window it creates disruptions in digital information thus causing inter-symbol interference.

Uplink Interference

The uplink is the path from the UE to the base station. Uplink interference is caused by other UE’s transmitting at a strong power level and causing interference to the desired UE. A UE at the edge of an adjacent cell transmits at a high power to reach its serving cell. This UE and others at the edge of that cell would cause interference to me because I am on the cell next to theirs. Interfering UE’s can cause inter-symbol interference in my desired data stream.

Mobility Challenges

When a UE moves rapidly (e.g., in a car or train), its distance from the cell tower changes constantly. This requires frequent Timing Advance (TA) updates, which can introduce synchronization delays. The UE can transmit in the wrong time slot thus affecting the timing alignment calculation.

Handover Complexity – High-speed UEs often move between cells quickly, triggering frequent handover procedures. If TA adjustments are not updated fast enough, uplink synchronization can degrade, leading to packet loss or increased latency.

Doppler Effect – Fast-moving UEs experience Doppler shifts, which can distort signal timing and affect the accuracy of TA calculations. This is particularly problematic in high-speed rail or highway scenarios.

UEs at the cell edge may experience timing drift, leading to misalignment in symbol transmission and reception.

Hetnets

HetNets are situations where small cells are installed within a macro cell coverage area. This is done to increase capacity and throughput. Macro cells provide wide-area coverage, while small cells enhance capacity in dense areas.

Because they share frequency resources, UEs connected to both layers can experience cross-layer interference, leading to signal distortion.

When a UE moves between a macro and small cell, its transmission timing may drift, causing handover interference if not properly managed. UEs connected to small cells must adjust their Timing Advance (TA) values for proper uplink synchronization. If this adjustment is delayed, the UE may transmit at the wrong time, causing ISI.

Dense urban environments with small cells can create multiple reflected signal paths. This effect is more pronounced when small cells are placed in complex environments like indoor spaces, tunnels, or highly obstructed areas.

Small cells are often deployed close to each other to improve network capacity. If small cells are too close, their signals may overlap, increasing the chance of ISI. Overlapping coverage can also create frequency interference, affect LTE’s orthogonality and cause symbol misalignment.

Neighboring Cells and TA

Neighbor cells do not directly monitor the Timing Advance (TA) of a UE. Only one cell at a time sends the TA value to the mobile. The mobile does not report this TA value to the neighboring cell until it hands off to that cell. So, there is no simultaneous measurement of TA values for more than one cell so comparing distances via the TA values from multiple cells is not correct as the TA values from multiple cells only occur after handoff thus, they are not simultaneous.

How Neighbor Cells Handle Timing Information

Handover Preparation – When a UE moves toward a neighbor cell, the serving eNodeB collects measurement reports (such as Reference Signal Received Power, RSRP) and decides whether a handover is needed.

TA Adjustments After Handover – Once the UE connects to the new eNodeB, the new cell determines the appropriate TA value based on the UE’s distance.

Timing Advance

Timing advance is used in LTE to adjust the timing of when the signal from the mobile should be sent such that it arrives at the eNodeB (tower) at the correct time within the digital frame it is assigned. In the startup sequence when a user first powers up the phone, the phone will scan for available networks and synchronize with the best eNodeB. No TA is assigned yet.

The Random Access (RA) procedure occurs next where the mobile sends a Random Access Preamble to the eNodeB. The eNodeB measures the arrival time comparing it with the time sent and calculates an initial TA value and sends this as a Random Access Response.

These TA values range from 0 to 1282. Each step is 0.52 microseconds which represents 78 meters when multiplied by the speed of light. Since there are 1283 steps, the maximum time is approximately 667 microseconds corresponding to approximately 100 kilometers.

After this communication, the timing advance is continuously updated in every 1 millisecond frame in LTE. That equates to an update rate of 1000 times per second. The TA update values range from 0 to 63 in 0.52 microsecond increments which corresponds to 78-meter steps.

Cyclic Prefix

Cyclic Prefix (CP) was added in LTE to handle multipath conditions. Since cellular transmits in a broad pattern the signal will be received at different times due to multipath. As mentioned before this would sound like multiple echoes if one could hear it. To adjust for this LTE introduced Cyclic Prefix. It essentially adds a guard time interval between consecutive symbols. In other words, it expands the amount of time it waits for signals received at later times. The width of the cyclic prefix in normal cellular networks is 4.7 microseconds which corresponds to a distance of 1,410 meters.

CP works at a different layer than TA. CP creates a window of time that the signals must arrive within. TA is used by the network to instruct the UE signals to arrive within the CP time window.

Think of the following analogy which I must admit that CoPilot created.

“Think of a relay race:

TA is like telling each runner exactly when to start running so they reach the baton handoff zone at the same time.

CP is like making the handoff zone extra wide, so even if someone’s a little off, the baton still gets passed cleanly.”

Drive Test

I performed a drive test using a rooted Motorola G Stylus 5G 2024 phone running Android 14 with the Echo One software from Enhancell running on the phone. Enhancell provides software tools to cellular network operators worldwide for performance measuring and optimization. They have licensed the proprietary interface directly to the phone chipsets. The software collects hundreds of parameters. Go to www.enhancell.com for more information.

The Echo One software runs on a rooted phone. Rooting is required for the software to be able to access the network parameters. Rooting does not change the operating software of the phone. It allows access to system level folders and files.

Both the RA and non-RA timing advance values were logged but only the non-RA timing advance values were mapped and analyzed as the RA timing advance updates far less often.

The continuous or non-RA timing advance updates are logged by the software at around twice per second. This is much slower than the actual TA updates which occur at 1000 times per second. For this analysis I do not believe this has an impact on the results.

The drive test data presented here is based on a single cell tower covering a combination of industrial, retail and residential areas. Nearly all the structures were one or two stories high. The terrain is flat with assortments of trees in full foliage.

I draw no definitive general conclusions because even though I collected quite a bit of data around the tower it is essentially only one tower on one network operator, Verizon. Hopefully, others can perform their own testing in other areas on other networks in collaboration.

The phone was on the Verizon network, and I identified a Verizon tower approximately 50 meters high. The phone was mainly in idle mode, but I did make a few test calls. There didn’t seem to be any difference in how the timing advance values were logged or displayed based on whether the phone was idle or on a call. I drove around the tower collecting network related data including timing advance as recorded by the phone. When the phone switched to another tower (eNodeB) I turned back toward the tower. My goal was to drive the entire coverage area of the tower.

The following map shows the drive test with the colors representing different timing advance values. The tower is in the middle of the map indicated by a red pin.

Using the Google Earth measurement tool, I measured the distance to the closest point and furthest point for each timing advance value. The table below shows the TA values, their time and their corresponding distance values from the LTE specification, my measured values, and the differences of the averages and the ranges.

The “Avg Diff” column compares the average of the distance values from the LTE spec and the average from the measured values calculated based on the closest and furthest points. For example, if we take TA value of 4 the LTE spec range is 312 to 390 meters. The average of that is 351. The average of the measured values for TA of 4 is (203 + 523)/2 = 363. The difference is (363-351)/351 = 3.4%. Many of the values for the average difference are somewhat close to zero giving one the impression that the measured values are close to the LTE specification values. One may conclude that determining distance and thus phone location using timing advance provides a fairly accurate estimate.

However, if we look at the “Range Diff” column we see very different numbers. The range difference is calculated by comparing the range of measured to the range in the LTE specification. For example, if we take TA of 9 the range value for the spec is 78 meters (780 – 702). The measured range is 840 – 544 = 296. The difference in percentage terms is (296-78)/78 = 279.5%. That’s almost three times the distance for that TA value that we measured compared to 78 meters in the LTE specification. If one was strictly using the timing advance value of say 9 for a location measurement, they could be off by 100 meters or so based on my testing.

Conclusions

I can draw some conclusions based on my testing alone but it is a limited test so hopefully others will contribute and provide additional testing and insights. I also hope others will review this for any inaccuracies or errors I may have made. Please email me with any corrections, suggestions or comments.

With that said, I offer the following conclusions based on my analysis and testing of Timing Advance. Timing Advance is a parameter used by the network in real time to align the timing of when information is received by the eNodeB. It is not used for location by the network in real time. Timing Advance adjustments are affected by multiple types of interference. Timing Advance can be used to calculate a distance value by multiplying its time increment by the speed of light. This technique has been used to estimate the location of the mobile.

The “distance to cell” parameter is provided in network operator call records. The source of this data is not provided by the network operators. I have been involved with cases where the prosecution expert has stated that since the timing advance value is a specified parameter in the LTE specification and it is used to calculate the distance to cell value, then it is not a proprietary method. They were trying to get around the fact that network operators use proprietary methods to determine the latitude/longitude phone location estimate by instead using the distance to cell parameter and saying this was not created using a proprietary method. This method is also recommended by SWGDE. See my blog on that here Scientific Working Group on Digital Evidence (SWGDE) Continues to be Wrong - Mobile Forensics.

This logic is false. First, they are assuming that the distance to cell parameter comes directly from the timing advance. There is nothing in the documentation that states this. Second, they are assuming the timing advance alone is an accurate measure of distance which it is not. Third, the network operator does not provide an error factor or confidence interval for the distance to cell estimate. Every estimate requires an error factor even if it was based on timing advance alone.

The Cyclic Prefix addresses multipath signals allowing signals up to 1400 meters apart to be combined. This adds additional error to any location analysis based on timing.

Even though my test was performed on a single eNodeB it provides valuable information that we can draw some conclusions. The test was performed over a flat terrain with mostly one and two-story structures so there was minimal effect from fading or multipath. Other situations such as urban or hilly areas or would most likely show results with wider variations between measured and what is documented in the LTE specifications.

My test data shows that the measured ranges for each of the timing advance values differ greatly from what is specified. In some cases, it was 7 times larger than the specified range.

Verizon and other network operators do not provide the TA values in their call records. They only provide the estimated position of the phone via latitude/longitude coordinates, an error factor and a distance to cell measurement. They do not provide an error factor for the distance to cell measurement.

This constitutes a very large error in distance to the cell. Based on this test data we can assume that the distance to cell estimates in the call records are either very inaccurate or they are not based on timing advance alone. If they are not based on timing advance alone then a proprietary algorithm is being used to generate it. In either case, its use in legal cases is highly dubious.

References:

Nur Syazwani Mustaffa, Wan Norsyafizan W. Muhamad, Aliya Syahira Mohd Anuar, A Review on Techniques to Improve the Cell Edge Performance for Wireless Networks – Volume 9, N0.1.4, 2020, International Journal of Advanced Trends in Computer Science and Engineering

Supratim Deb, Pantelis Monogioudis, Learning Based Uplink Interference Management in 4G LTE Cellular Systems, arXiv:1309.2543v1 [cs.NI] 10 Sep 2013

Farhana Afroz, Kumbesan Sandrasegaran, H. Al Kim, INTERFERENCE MANAGEMENT IN LTE DOWNLINK NETWORKS, International Journal of Wireless & Mobile Networks (IJWMN) Vol. 7, No. 1, February 2015

Monica Paolini, Interference management in LTE networks and devices, White paper Interference management in LTE networks and devices Senza Fill Consulting 2012

Leslie A. Jarvis, Jr., GEOLOCATION OF LTE SUBSCRIBER STATIONS BASED ON THE TIMING ADVANCE RANGING PARAMETER, NAVAL POSTGRADUATE SCHOOL December 2010

Microsemi Corporation, Timing and Synchronization for LTE-TDD and LTE-Advanced Mobile Networks, 2014

Decodio, TDOA Localization: From Theory to the Field, Version 1.0 10 October 2023 © Decodio AG

Telesystems Innovations Frank Rayal, CTO, LTE in a Nutshell: The Physical Layer, 14 © 2010 Telesystem Innovations Inc. All rights reserved.

Debasis Ratha, Senior Technical Trainer at Rohde & Schwarz, LTE Simplified - 04 - The Basics: Cyclic Prefix, https://www.linkedin.com/pulse/lte-simplified-04-basics-cyclic-prefix-debasis-ratha/, October 10, 2018

Timing Advance (TA) and Cyclic Prefix (CP) in 5G and their differences, https://www.nxgconnect.com/post/timing-advance-ta-and-cyclic-prefix-cp-in-5g-and-their-differences