CN112399361A - Non-sensing positioning system and method for LTE terminal - Google Patents

Non-sensing positioning system and method for LTE terminal Download PDF

Info

Publication number
CN112399361A
CN112399361A CN202011464557.2A CN202011464557A CN112399361A CN 112399361 A CN112399361 A CN 112399361A CN 202011464557 A CN202011464557 A CN 202011464557A CN 112399361 A CN112399361 A CN 112399361A
Authority
CN
China
Prior art keywords
target
rnti
terminal
message
hit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011464557.2A
Other languages
Chinese (zh)
Other versions
CN112399361B (en
Inventor
王小伟
陈辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Zhongruantong Technology Co ltd
Original Assignee
Wuhan Zhongruantong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Zhongruantong Technology Co ltd filed Critical Wuhan Zhongruantong Technology Co ltd
Priority to CN202011464557.2A priority Critical patent/CN112399361B/en
Publication of CN112399361A publication Critical patent/CN112399361A/en
Application granted granted Critical
Publication of CN112399361B publication Critical patent/CN112399361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method for positioning a terminal in an LTE wireless communication network environment, which can determine TMSI or C-RNTI of a target under the condition that the target does not have any perception only by a target number, trigger the communication between the target and a base station, measure the sending power of the target, report the power to an interface and a background for data analysis processing, determine the direction of the target, and gradually approach the position of the target through multiple measurements. The invention can greatly reduce the triggering times of the short message and improve the matching speed and precision by matching the contents. The invention uses the correlation algorithm to calculate the signal-to-noise ratio and the power of the uplink signal of the terminal, can detect the uplink power lower than the noise, and further can detect the signal of the terminal which is farther away from the analysis equipment.

Description

Non-sensing positioning system and method for LTE terminal
Technical Field
The invention provides a method for positioning a terminal in an LTE wireless communication network environment, which can determine TMSI or C-RNTI of a target under the condition that the target does not have any perception only by a target number, trigger the communication between the target and a base station, measure the sending power of the target, report the power to an interface and a background for data analysis processing, determine the direction of the target, and gradually approach the position of the target through multiple measurements.
Background
In an LTE wireless communication system, there are many terminals under a base station, which may be in communication with the base station or in a dormant state, and signals of the terminals interfere with each other, so how to determine a target from the terminals is a first challenge to be faced, and after determining the target, how to locate a specific target is a second challenge.
The first method is to simulate a base station, a terminal tries to register and report the IMEI or IMSI of the terminal to the simulated base station, and if the terminal locally has the IMEI or IMSI of a target, the target can be determined; after the target is registered, the base station can control the target to periodically send signals, and the target can be positioned by measuring the strength of the signals. The simulated base station in the positioning system generally needs to send signals stronger than base stations of surrounding operators, and a terminal can register on the simulated base station, so that the positioning system has high energy consumption, large volume and short distance; in addition, the target terminal cannot communicate with the operator base station in the positioning process, namely, the target terminal cannot surf the internet or make a call, and the target terminal is perceivable by a target terminal user. The second method is to simulate the starting process of a common LTE terminal, acquire PCI information and public radio resource configuration information of peripheral cells, determine the C-RNTI of a target terminal, further acquire DCI information, finally acquire uplink resource configuration of the target terminal, measure and point according to the uplink resource configuration, and complete the positioning of the target terminal. In an actual operation network, the RNTI of the terminal is often changed, so false alarm may occur, and particularly in a cell with a large load user quantity, the probability of false alarm may increase; in addition, the measurement of the uplink resource is interfered by noise and the interference of the terminal of the adjacent cell, and the measurement result is inaccurate.
Disclosure of Invention
The invention provides a method which can identify and position an LTE terminal under the condition of no perception of the LTE terminal in a complex actual environment. The identification specifically refers to identifying the C-RNTI of the target LTE terminal, and the positioning accuracy can be accurate to meters.
The invention provides a positioning system of an LTE terminal, which is shown by referring to the attached figure 1 and comprises the following components: a control terminal and an analysis device of a network (GSM, WCDMA, TDSCDMA or LTE) supporting the 3GPP standard.
The control terminal must support the wireless network of 3GPP standard (GSM, WCDMA, TDSCDMA or LTE), and can send the short message on the corresponding operator network, realize sending a kind of special short message to the target terminal according to the particular time interval through the software, this kind of special short message is realized through an interface that can visit the bottom layer protocol stack of the mobile phone, while encoding the short message into PDU packet, revise the particular field according to the agreement, and send the content of the particular short message, the short message is when arriving the take over party and processing, according to the agreement requirement, this kind of short message will be abandoned, namely take over party's mobile phone interface does not have any suggestion, does not influence the normal work of the take over party, can achieve the goal of "not perceiving"; in addition, the control terminal needs to communicate with the analysis device through bluetooth, determine whether the target is in a large area tracked by the system device or a small area tracked by the system device according to a time interval between information reported by the device and the short message sent, determine and store a possible target TMSI and a C-RNTI thereof, and send the target TMSI to the analysis device after determining the TMSI. If the RNTI corresponding to the TMSI is received later, the C-RNTI of the target needs to be updated and stored on the control terminal.
The analysis equipment is accessed to an LTE public network through 2 or 4 antennas arranged in a specific direction, the process of starting up and searching operators of a common LTE terminal is simulated, PCI, broadcast messages and system messages of a plurality of surrounding cells are obtained, a common control channel and a special control channel of each cell are tracked, and TMSI and RNTI carried in a context Resolution message captured in the common control channel are used as access information to be uploaded to a control terminal; uploading TMSI carried in the Paging message captured in the common control channel to a control terminal as a Paging message; and for the special control channel, judging the size of the PDU packet of the PDCP layer, and for the packet conforming to the characteristics of the short message, uploading the packet length and the corresponding C-RNTI to the control terminal. In addition, after the control terminal issues the target TMSI and the C-RNTI, if the access message of the TMSI is received at any time, the signal analysis device needs to update the RNTI corresponding to the target TMSI. After the C-RNTI of the target is determined, the DCI0 message corresponding to the RNTI needs to be tracked, the signal-to-noise ratio and the peak power of the uplink signal are calculated by adopting a DMRS correlation method, and the signal-to-noise ratio and the peak power are reported to the control terminal.
The invention also provides a positioning method of the LTE terminal, and a system used by the method mainly comprises two parts, namely an analysis device and a control terminal, wherein the analysis device and the control terminal are communicated through Bluetooth. The control terminal mainly completes interaction with the user, display of an analysis result, short message triggering and judgment of target screening. The analysis equipment mainly completes cell search and analysis of a control channel (PDCCH), the control channel analysis (PDCCH) needs to support five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2, wherein the DCI Format 0 is an uplink channel and is mainly used for a power calculation process, other DCI Formats need to carry out deep analysis on message content, specific types and related content of the messages are analyzed, and analysis results are sent to a control terminal for final target judgment. Referring to fig. 2, the steps are as follows:
s1: the method includes that the analysis equipment simulates a starting process of a common LTE terminal, namely a process of starting the common LTE terminal to search operators, and specifically includes the following steps: and acquiring the PCIs (Physical Cell identities) of a plurality of surrounding cells, the broadcast messages and the system messages, storing the PCIs, the broadcast messages and the system messages locally, and uploading the PCIs to a control terminal for display.
S2: after the cell search is finished, the control terminal continuously sends a special short message to the target terminal, the short message modifies the specific field of the short message packet according to the protocol and contains specific short message content, when the short message reaches the target terminal for processing, the short message is discarded according to the protocol requirement, namely, the mobile phone interface of the target terminal has no any prompt and the normal work of the target terminal is not influenced, and the purpose of no perception can be achieved. In addition, since the content of the short message is also specific, when the analyzing device monitors the unique PDCP packet corresponding to the special short message, it determines whether the target is in the large cell and the small cell where the tracked small cell is located and determines the TMSI and C-RNTI of the target; obtaining DCI information corresponding to the C-RNTI; and finally, acquiring uplink resource allocation of the target terminal, calculating the signal-to-noise ratio and the peak power of the uplink signal by adopting a DMRS correlation method, and positioning the target terminal according to the acquired signal-to-noise ratio and the peak power of the uplink signal.
The analysis process specifically comprises the following steps: traversing each cell, and each cell performs the following steps:
step S201: for blind detection of the PDCCH, five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2 need to be supported for a common search space, and four transmission formats including DCI Format 1A/0, 1, 2A and 2 need to be supported for a UE-specific search space. DCI1A is the same length as DCI0, except for the first bit. For aggregation levels 8 and 4, algorithms such as soft bit autocorrelation and the like can be adopted to firstly judge which transmission format is most likely, and then the result is decoded and stored; for aggregation levels 2 and 1, traversing each format, then taking the format with the minimum convolutional decoding bit error rate, and storing the result; since the number of blind detection times is very large, thresholds with different conditions (for example, blind detection is performed only when the signal strength is greater than a certain threshold value) should be adopted to reduce the number of blind detection times and increase the blind detection speed.
Step S202: and identifying the target, namely acquiring the C-RNTI of the target terminal.
If the transmission Format is DCI Format 0, judging whether the C-RNTI corresponding to the DCI Format 0 is the same as the C-RNTI of the target terminal, if so, indicating that the ULGrant corresponding to the DCI0 is the ULGrant used by the target terminal, storing the ULGrant corresponding to the DCI0, executing the step S203, namely S2031-S2032, calculating the uplink power of the target terminal and positioning according to the uplink power; if not, discarding and not processing;
if the transmission Format is other than DCI Format 0, steps S2021-S2022 are performed to detect the corresponding PDSCH, and store all packets passing CRC for analyzing and acquiring the C-RNTI of the target terminal.
Step S2021: the analysis equipment detects the access RAR message, the access message and the paging message. If the RNTI corresponding to the PDSCH is RA-RNTI, the PDSCH is an RAR message, and the content in the corresponding RAR packet is stored and comprises the ULGrant and the C-RNTI; if the RNTI corresponding to the PDSCH is C-RNTI, the PDSCH is an access message, then the content is judged according to the MAC header, if the MAC header is UE context Resolution, the content of the loaded MSG3 is analyzed, the content comprises TMSI and C-RNTI and is uploaded to a control terminal as the access message, if the MAC header is SRB or DRB, the content information of the loaded PDCP message packet is further judged, and if the MAC header accords with the expected short message characteristics, the content information is uploaded to the control terminal as a direct hit message, and the C-RNTI and PDCP related information is uploaded to the control terminal; and if the RNTI corresponding to the PDSCH is the P-RNTI, the PDSCH is a paging message, and the TMSI in the message is uploaded to the control terminal.
Step S2022: and the control terminal determines the TMSI of the target terminal according to the message uploaded by the analysis equipment and judges whether large-area hit and small-area hit exist. If the hit is the access message, making a judgment according to the time interval between the short message and the short message sent by the control terminal, taking the hit which meets the condition as effective hit, taking the hit which does not meet the condition as error hit, repeatedly and effectively hitting for multiple times as a cell hit target, and making a cell hit prompt on a user interface; if the hit is the paging message, the judgment is made according to the time interval between the paging message and the short message sent by the control terminal, the hit which meets the condition is taken as the effective hit, the hit which does not meet the condition is taken as the error hit, the hit which repeatedly and effectively hits for many times is taken as the large area hit target, and the large area hit prompt is made on a user interface. If the hit is a direct hit message, whether the same C-RNTI access message exists in the previous period can be searched, if yes, TMSI hit is prompted, the C-RNTI and the TMSI are displayed together, and if not, C-RNTI hit is prompted. After the hit, the control terminal sends a hit message to the analysis equipment, wherein the hit message comprises TMSI (if any) and C-RNTI of the hit target.
Step S203: and calculating the uplink power of the target terminal and positioning according to the uplink power.
Step S2031: the analyzing device decides whether DCI0 is valid. The ul grant and the DCI0 both indicate information of uplink resources of the target terminal. The ULGrant indicates the resources corresponding to the access message, and the access message is bound to exist as long as the subsequent access flow exists, so that the ULGrant does not need to be subjected to ACK; to reduce power false alarm, a determination must be made whether the decoded DCI0 is valid, because the DCI0 may be decoded incorrectly, or for some reason the terminal has not transmitted a signal on the resource indicated by the DCI 0. The base station may send an ACK/NACK on the PHICH for the message transmitted by the terminal. The protocol standard gives the time slot relationship among DCI0, the terminal uplink signal and the ACK of PHICH. And after receiving the C-RNTI of the hit target, the analysis equipment monitors whether to analyze corresponding DCI0, if so, analyzes the PHICH in the corresponding time slot, if the ACK message is carried on the corresponding PHICH resource, stores DCI0, and otherwise, discards the DCI 0.
Step S2032: for the stored DCI0, the analysis equipment calculates the signal-to-noise ratio and power of the UE uplink signal by using a DMRS correlation method. Locally generating a DMRS signal corresponding to the ULGrant or the DCI0, performing correlation operation on the DMRS signal and an uplink time domain signal, taking the square sum of the correlation result I, Q as power, taking the peak value of the power divided by the mean value as SNR, taking the peak value as power, uploading the SNR and the power to a control terminal, giving a prompt to a user by the control terminal in a text, image or voice mode, and judging the position of a target terminal by the user according to the power displayed by the control terminal.
The invention has the beneficial effects that:
1. the method and the system can realize the target terminal identification and positioning without perception, and can be applied to police investigation equipment.
2. The invention can greatly reduce the triggering times of the short message and improve the matching speed and precision by matching the contents. The method can still be normally used in the complex environment with the change of the C-RNTI.
3. The invention can determine the position of the terminal sending signal and reduce the false alarm of the uplink power by detecting that the base station sends ACK/NACK to the terminal on the PHICH. For example, the base station allocates 6 resources to the terminal, and the terminal only uses 3 of the resources, and when the ACK/NACK is not analyzed, the analysis device cannot determine which 3 resources are specifically used by the terminal, so that the false alarm rate is high. According to the method and the device, the ACK/NACK is analyzed, which 3 resources are specifically used by the terminal is determined, and the analysis equipment only needs to analyze the used resources, so that the false alarm rate is reduced, and the user can judge the position of the target terminal more easily.
4. The invention uses the correlation algorithm to calculate the signal-to-noise ratio and the power of the uplink signal of the terminal, can detect the uplink power lower than the noise, and further can detect the signal of the terminal which is farther away from the analysis equipment.
5. The method has the advantages of meter-level positioning accuracy, high accuracy and strong anti-interference capability.
Drawings
Fig. 1 is a hardware processing block diagram of the present invention, and block 1 is an analysis device, which mainly completes the analysis of signals of a base station and a terminal, and does not transmit signals and affect the operation of a public network. And the block 2 is a control terminal, needs to send a special short message to a target terminal, needs to send control information to a signal analysis device, needs to receive the message of the analysis device, judges a large area hit and a small area hit by combining the time interval between the short message and the device message and identifies the TMSI of the target.
Fig. 2 illustrates a specific embodiment thereof.
Detailed Description
The invention provides a method which can identify and position an LTE terminal under the condition of no perception of the LTE terminal in a complex actual environment. The identification specifically refers to identifying the C-RNTI of the target LTE terminal, and the positioning accuracy can be accurate to meters.
The invention provides a positioning system of an LTE terminal, which is shown by referring to the attached figure 1 and comprises the following components: a control terminal and an analysis device of a network (GSM, WCDMA, TDSCDMA or LTE) supporting the 3GPP standard.
The control terminal must support the wireless network of 3GPP standard (GSM, WCDMA, TDSCDMA or LTE), and can send the short message on the corresponding operator network, realize sending a kind of special short message to the target terminal according to the particular time interval through the software, this kind of special short message is realized through an interface that can visit the bottom layer protocol stack of the mobile phone, while encoding the short message into PDU packet, revise the particular field according to the agreement, and send the content of the particular short message, the short message is when arriving the take over party and processing, according to the agreement requirement, this kind of short message will be abandoned, namely take over party's mobile phone interface does not have any suggestion, does not influence the normal work of the take over party, can achieve the goal of "not perceiving"; in addition, the control terminal needs to communicate with the analysis device through bluetooth, determine whether the target is in a large area tracked by the system device or a small area tracked by the system device according to a time interval between information reported by the device and the short message sent, determine and store a possible target TMSI and a C-RNTI thereof, and send the target TMSI to the analysis device after determining the TMSI. If the RNTI corresponding to the TMSI is received later, the C-RNTI of the target needs to be updated and stored on the control terminal.
The analysis equipment is accessed to an LTE public network through 2 or 4 antennas arranged in a specific direction, the process of starting up and searching operators of a common LTE terminal is simulated, PCI, broadcast messages and system messages of a plurality of surrounding cells are obtained, a common control channel and a special control channel of each cell are tracked, and TMSI and RNTI carried in a context Resolution message captured in the common control channel are used as access information to be uploaded to a control terminal; uploading TMSI carried in the Paging message captured in the common control channel to a control terminal as a Paging message; and for the special control channel, judging the size of the PDU packet of the PDCP layer, and for the packet conforming to the characteristics of the short message, uploading the packet length and the corresponding C-RNTI to the control terminal. In addition, after the control terminal issues the target TMSI and the C-RNTI, if the access message of the TMSI is received at any time, the signal analysis device needs to update the RNTI corresponding to the target TMSI. After the C-RNTI of the target is determined, the DCI0 message corresponding to the RNTI needs to be tracked, the signal-to-noise ratio and the peak power of the uplink signal are calculated by adopting a DMRS correlation method, and the signal-to-noise ratio and the peak power are reported to the control terminal.
The invention also provides a positioning method of the LTE terminal, and a system used by the method mainly comprises two parts, namely an analysis device and a control terminal, wherein the analysis device and the control terminal are communicated through Bluetooth. The control terminal mainly completes interaction with the user, display of an analysis result, short message triggering and judgment of target screening. The analysis equipment mainly completes cell search and analysis of a control channel (PDCCH), the control channel analysis (PDCCH) needs to support five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2, wherein the DCI Format 0 is an uplink channel and is mainly used for a power calculation process, other DCI Formats need to carry out deep analysis on message content, specific types and related content of the messages are analyzed, and analysis results are sent to a control terminal for final target judgment. Referring to fig. 2, the steps are as follows:
s1: the method includes that the analysis equipment simulates a starting process of a common LTE terminal, namely a process of starting the common LTE terminal to search operators, and specifically includes the following steps: and acquiring the PCIs (Physical Cell identities) of a plurality of surrounding cells, the broadcast messages and the system messages, storing the PCIs, the broadcast messages and the system messages locally, and uploading the PCIs to a control terminal for display.
S2: after the cell search is finished, the control terminal continuously sends a special short message to the target terminal, the short message modifies the specific field of the short message packet according to the protocol and contains specific short message content, when the short message reaches the target terminal for processing, the short message is discarded according to the protocol requirement, namely, the mobile phone interface of the target terminal has no any prompt and the normal work of the target terminal is not influenced, and the purpose of no perception can be achieved. In addition, since the content of the short message is also specific, when the analyzing device monitors the unique PDCP packet corresponding to the special short message, it determines whether the target is in the large cell and the small cell where the tracked small cell is located and determines the TMSI and C-RNTI of the target; obtaining DCI information corresponding to the C-RNTI; and finally, acquiring uplink resource allocation of the target terminal, calculating the signal-to-noise ratio and the peak power of the uplink signal by adopting a DMRS correlation method, and positioning the target terminal according to the acquired signal-to-noise ratio and the peak power of the uplink signal.
The analysis process specifically comprises the following steps: traversing each cell, and each cell performs the following steps:
step S201: for blind detection of the PDCCH, five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2 need to be supported for a common search space, and four transmission formats including DCI Format 1A/0, 1, 2A and 2 need to be supported for a UE-specific search space. DCI1A is the same length as DCI0, except for the first bit. For aggregation levels 8 and 4, algorithms such as soft bit autocorrelation and the like can be adopted to firstly judge which transmission format is most likely, and then the result is decoded and stored; for aggregation levels 2 and 1, traversing each format, then taking the format with the minimum convolutional decoding bit error rate, and storing the result; since the number of blind detection times is very large, thresholds with different conditions (for example, blind detection is performed only when the signal strength is greater than a certain threshold value) should be adopted to reduce the number of blind detection times and increase the blind detection speed.
Step S202: and identifying the target, namely acquiring the C-RNTI of the target terminal.
If the transmission Format is DCI Format 0, judging whether the C-RNTI corresponding to the DCI Format 0 is the same as the C-RNTI of the target terminal, if so, indicating that the ULGrant corresponding to the DCI0 is the ULGrant used by the target terminal, storing the ULGrant corresponding to the DCI0, executing the step S203, namely S2031-S2032, calculating the uplink power of the target terminal and positioning according to the uplink power; if not, discarding and not processing;
if the transmission Format is other than DCI Format 0, steps S2021-S2022 are performed to detect the corresponding PDSCH, and store all packets passing CRC for analyzing and acquiring the C-RNTI of the target terminal.
Step S2021: the analysis equipment detects the access RAR message, the access message and the paging message. If the RNTI corresponding to the PDSCH is RA-RNTI, the PDSCH is an RAR message, and the content in the corresponding RAR packet is stored and comprises the ULGrant and the C-RNTI; if the RNTI corresponding to the PDSCH is C-RNTI, the PDSCH is an access message, then the content is judged according to the MAC header, if the MAC header is UE context Resolution, the content of the loaded MSG3 is analyzed, the content comprises TMSI and C-RNTI and is uploaded to a control terminal as the access message, if the MAC header is SRB or DRB, the content information of the loaded PDCP message packet is further judged, and if the MAC header accords with the expected short message characteristics, the content information is uploaded to the control terminal as a direct hit message, and the C-RNTI and PDCP related information is uploaded to the control terminal; and if the RNTI corresponding to the PDSCH is the P-RNTI, the PDSCH is a paging message, and the TMSI in the message is uploaded to the control terminal.
Step S2022: and the control terminal determines the TMSI of the target terminal according to the message uploaded by the analysis equipment and judges whether large-area hit and small-area hit exist. If the hit is the access message, making a judgment according to the time interval between the short message and the short message sent by the control terminal, taking the hit which meets the condition as effective hit, taking the hit which does not meet the condition as error hit, repeatedly and effectively hitting for multiple times as a cell hit target, and making a cell hit prompt on a user interface; if the hit is the paging message, the judgment is made according to the time interval between the paging message and the short message sent by the control terminal, the hit which meets the condition is taken as the effective hit, the hit which does not meet the condition is taken as the error hit, the hit which repeatedly and effectively hits for many times is taken as the large area hit target, and the large area hit prompt is made on a user interface. If the hit is a direct hit message, whether the same C-RNTI access message exists in the previous period can be searched, if yes, TMSI hit is prompted, the C-RNTI and the TMSI are displayed together, and if not, C-RNTI hit is prompted. After the hit, the control terminal sends a hit message to the analysis equipment, wherein the hit message comprises TMSI (if any) and C-RNTI of the hit target.
Step S203: and calculating the uplink power of the target terminal and positioning according to the uplink power.
Step S2031: the analyzing device decides whether DCI0 is valid. The ul grant and the DCI0 both indicate information of uplink resources of the target terminal. The ULGrant indicates the resources corresponding to the access message, and the access message is bound to exist as long as the subsequent access flow exists, so that the ULGrant does not need to be subjected to ACK; to reduce power false alarm, a determination must be made whether the decoded DCI0 is valid, because the DCI0 may be decoded incorrectly, or for some reason the terminal has not transmitted a signal on the resource indicated by the DCI 0. The base station may send an ACK/NACK on the PHICH for the message transmitted by the terminal. The protocol standard gives the time slot relationship among DCI0, the terminal uplink signal and the ACK of PHICH. And after receiving the C-RNTI of the hit target, the analysis equipment monitors whether to analyze corresponding DCI0, if so, analyzes the PHICH in the corresponding time slot, if the ACK message is carried on the corresponding PHICH resource, stores DCI0, and otherwise, discards the DCI 0.
Step S2032: for the stored DCI0, the analysis equipment calculates the signal-to-noise ratio and power of the UE uplink signal by using a DMRS correlation method. Locally generating a DMRS signal corresponding to the ULGrant or the DCI0, performing correlation operation on the DMRS signal and an uplink time domain signal, taking the square sum of the correlation result I, Q as power, taking the peak value of the power divided by the mean value as SNR, taking the peak value as power, uploading the SNR and the power to a control terminal, giving a prompt to a user by the control terminal in a text, image or voice mode, and judging the position of a target terminal by the user according to the power displayed by the control terminal.

Claims (2)

1. A positioning method of an LTE terminal is characterized in that a system used by the method mainly comprises two parts, one part is an analysis device, the other part is a control terminal, the analysis device is communicated with the control terminal through Bluetooth, and the control terminal mainly completes the interaction with a user, the display of an analysis result, the triggering of a short message and the judgment of target screening; the analysis equipment mainly completes cell search and analysis of a control channel (PDCCH), the control channel analysis (PDCCH) needs to support five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2, wherein the DCI Format 0 is an uplink channel and is mainly used for a power calculation process, other DCI Formats need to carry out deep analysis on message content, specific types and related content of the messages are analyzed, analysis results are sent to a control terminal for final target judgment, and the steps are as follows:
s1: the method includes that the analysis equipment simulates a starting process of a common LTE terminal, namely a process of starting the common LTE terminal to search operators, and specifically includes the following steps: PCI and broadcast messages and system messages of a plurality of surrounding cells are obtained, stored locally and uploaded to a control terminal for display;
s2: after the cell search is completed, the control terminal continuously sends a special short message to the target terminal, the short message modifies a specific field of a short message packet according to a protocol and contains specific short message content, when the short message reaches the target terminal for processing, the short message is discarded according to the protocol requirement, and because the content of the short message is also specific, when the analysis equipment monitors a unique PDCP packet corresponding to the special short message, the analysis equipment determines whether the target is under a large cell and a small cell where the tracked small cell is located and determines TMSI and C-RNTI of the target; obtaining DCI information corresponding to the C-RNTI; finally, uplink resource allocation of the target terminal is obtained, the signal-to-noise ratio and the peak power of the uplink signal are calculated by adopting a DMRS correlation method, and the target terminal is positioned according to the obtained signal-to-noise ratio and the peak power of the uplink signal;
the analysis process specifically comprises the following steps: traversing each cell, and each cell performs the following steps:
step S201: for blind detection of the PDCCH, five transmission formats including DCI Format 1C, DCI Format 1A/0, DCI Format 1, DCI Format 2A and DCI Format 2 need to be supported for a common search space, and four transmission formats including DCI Format 1A/0, 1, 2A and 2 need to be supported for a specific search space of the UE; the length of the DCI1A is the same as that of the DCI0, but the first bit is different, and for aggregation levels 8 and 4, algorithms such as soft bit autocorrelation and the like can be adopted to firstly judge which transmission format is most likely to be used, and then the result is decoded and stored; for aggregation levels 2 and 1, traversing each format, then taking the format with the minimum convolutional decoding bit error rate, and storing the result; because the number of blind detection times is very large, thresholds with different conditions are adopted to reduce the blind detection times and accelerate the blind detection speed;
step S202: identifying a target, namely acquiring the C-RNTI of a target terminal;
if the transmission Format is DCI Format 0, judging whether the C-RNTI corresponding to the DCI Format 0 is the same as the C-RNTI of the target terminal, if so, indicating that the ULGrant corresponding to the DCI0 is the ULGrant used by the target terminal, storing the ULGrant corresponding to the DCI0, executing the step S203, namely S2031-S2032, calculating the uplink power of the target terminal and positioning according to the uplink power; if not, discarding and not processing;
if the transmission Format is other transmission Format except DCI Format 0, executing steps S2021-S2022, detecting corresponding PDSCH, storing all packets passing through CRC, and analyzing and acquiring C-RNTI of the target terminal;
step S2021: the analysis equipment detects an access RAR message, an access message and a paging message;
if the RNTI corresponding to the PDSCH is RA-RNTI, the PDSCH is an RAR message, and the content in the corresponding RAR packet is stored and comprises the ULGrant and the C-RNTI; if the RNTI corresponding to the PDSCH is C-RNTI, the PDSCH is an access message, then the content is judged according to the MAC header, if the MAC header is UE context Resolution, the content of the loaded MSG3 is analyzed, the content comprises TMSI and C-RNTI and is uploaded to a control terminal as the access message, if the MAC header is SRB or DRB, the content information of the loaded PDCP message packet is further judged, and if the MAC header accords with the expected short message characteristics, the content information is uploaded to the control terminal as a direct hit message, and the C-RNTI and PDCP related information is uploaded to the control terminal; if the RNTI corresponding to the PDSCH is the P-RNTI, the PDSCH is a paging message, and the TMSI in the message is uploaded to the control terminal;
step S2022: the control terminal determines TMSI of the target terminal according to the information uploaded by the analysis equipment, judges whether large area hit and small area hit exist, if the hit is the access information, judges according to the time interval between the control terminal and the short information sent by the control terminal, takes the hit which meets the condition as effective hit, takes the hit which does not meet the condition as error hit, repeatedly and effectively hits for multiple times as small area hit target, and makes small area hit prompt on a user interface; if the hit is the paging message, judging according to the time interval between the paging message and the short message sent by the control terminal, taking the hit which meets the condition as effective hit, taking the hit which does not meet the condition as error hit, repeatedly and effectively hitting for multiple times as a large-area hit target, and making a large-area hit prompt on a user interface; if the hit is a direct hit message, whether the same C-RNTI access message exists in the previous period can be searched, if yes, TMSI hit is prompted, the C-RNTI and the TMSI are displayed together, and if not, C-RNTI hit is prompted; after hit, the control terminal sends a hit message to the analysis equipment, wherein the hit message comprises TMSI and C-RNTI of a hit target;
step S203: calculating the uplink power of the target terminal and positioning according to the uplink power;
step S2031: the analysis equipment judges whether the DCI0 is effective, the ULGrant and the DCI0 both indicate the information of the uplink resources of the target terminal, the ULGrant indicates the resources corresponding to the access message, and the access message is determined as long as the subsequent access flow exists, so that the ULGrant does not need to be subjected to ACK (acknowledgement); DCI0 may be decoded incorrectly or for some reason the terminal does not transmit a signal on the resource indicated by DCI0, so to reduce power false alarm, it is necessary to determine whether the decoded DCI0 is valid; a base station sends ACK/NACK to a message transmitted by a terminal on a PHICH, a time slot relation among DCI0, a terminal uplink signal and the ACK of the PHICH is given in a protocol standard, an analysis device receives a C-RNTI which hits a target and then monitors whether to analyze corresponding DCI0, if so, the corresponding time slot is used for analyzing the PHICH, if the corresponding PHICH resource bears the ACK message, the DCI0 is stored, otherwise, the DCI0 is discarded;
step S2032: for the stored DCI0, the analysis equipment calculates the signal-to-noise ratio and the power of the UE uplink signal by using a DMRS correlation method, locally generates a DMRS signal corresponding to the ULGrant or the DCI0, performs correlation operation with the uplink time domain signal, I, Q of the correlation result, the sum of squares is used as the power, the peak value of the power is divided by the mean value to be used as the SNR, the peak value is used as the power, the SNR and the power are uploaded to a control terminal, the control terminal gives a prompt to a user in the form of characters, images or voice, and the user judges the position of a target terminal according to the power displayed by the control terminal.
2. A positioning system of an LTE terminal using the positioning method according to claim 1, comprising: a control terminal and a signal analysis device, the control terminal must support the wireless network of 3GPP standard and can send short messages on the corresponding operator network, the software realizes sending a kind of special short messages to the target terminal according to a specific time interval, the special short messages are realized by an interface which can access the bottom protocol stack of the mobile phone, when the short messages are coded into PDU packets, the specific field is modified according to the protocol and the specific short message content is sent, when the short messages reach the receiver to be processed, the short messages are discarded according to the protocol requirement, in addition, the control terminal also needs to communicate with the analysis device through Bluetooth, according to the time interval between the information reported by the device and the sent short messages, whether the target is in the large area tracked by the system device or in the small area tracked by the system device, determining and storing possible target TMSI and C-RNTI thereof, after the TMSI is determined, issuing the target TMSI to analysis equipment, and if the RNTI corresponding to the TMSI is received later, updating and storing the target C-RNTI on a control terminal;
the analysis equipment is accessed to an LTE public network through 2 or 4 antennas arranged in a specific direction, the process of starting up and searching operators of a common LTE terminal is simulated, PCI, broadcast messages and system messages of a plurality of surrounding cells are obtained, a common control channel and a special control channel of each cell are tracked, and TMSI and RNTI carried in a context Resolution message captured in the common control channel are used as access information to be uploaded to a control terminal; uploading TMSI carried in the Paging message captured in the common control channel to a control terminal as a Paging message; for a dedicated control channel, the size of a PDU packet of a PDCP layer is judged, for a packet which accords with the characteristics of a short message, the packet length and the corresponding C-RNTI are uploaded to a control terminal, in addition, after a control terminal issues a target TMSI and the C-RNTI, if an access message of the TMSI is received at any time, the RNTI corresponding to the target TMSI needs to be updated, after the C-RNTI of the target is determined, a DCI0 message corresponding to the RNTI needs to be tracked, the signal-to-noise ratio and the peak power of an uplink signal are calculated by adopting a DMRS correlation method, and the signal-to-noise ratio and the peak power are reported to the control.
CN202011464557.2A 2020-12-14 2020-12-14 Non-sensing positioning system and method for LTE terminal Active CN112399361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011464557.2A CN112399361B (en) 2020-12-14 2020-12-14 Non-sensing positioning system and method for LTE terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011464557.2A CN112399361B (en) 2020-12-14 2020-12-14 Non-sensing positioning system and method for LTE terminal

Publications (2)

Publication Number Publication Date
CN112399361A true CN112399361A (en) 2021-02-23
CN112399361B CN112399361B (en) 2021-12-31

Family

ID=74625498

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011464557.2A Active CN112399361B (en) 2020-12-14 2020-12-14 Non-sensing positioning system and method for LTE terminal

Country Status (1)

Country Link
CN (1) CN112399361B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113452423A (en) * 2021-06-29 2021-09-28 广州慧睿思通科技股份有限公司 Direction finding positioning method, equipment and storage medium
CN113905436A (en) * 2021-12-02 2022-01-07 北京蓝玛星际科技有限公司 Positioning method, positioning device, electronic equipment and storage medium
WO2023185575A1 (en) * 2022-03-28 2023-10-05 大唐移动通信设备有限公司 Information processing method, apparatus and readable storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072439A (en) * 2007-06-18 2007-11-14 中兴通讯股份有限公司 Cell locking method for mobile terminal
CN101370296A (en) * 2008-09-12 2009-02-18 ***通信集团江苏有限公司 Method for implementing active user position acquirement based on intelligent cooperation of service platform and STK card
CN101534481A (en) * 2009-01-12 2009-09-16 刘武强 Method and system for mobile station location based on special short message, and use of the same
US20110217995A1 (en) * 2010-03-03 2011-09-08 Paloma Networks Sas Security mechanisms to protect sms exchange in telecommunication networks
US20130201964A1 (en) * 2010-02-04 2013-08-08 Lg Electronics Inc. Method and apparatus for transceiving data in a wireless communication system which supports a plurality of component carriers
CN108235247A (en) * 2017-12-29 2018-06-29 上海应用技术大学 A kind of node positioning method and its device
CN108901068A (en) * 2017-12-29 2018-11-27 大唐终端技术有限公司 A kind of positioning system and method for LTE terminal
CN109121199A (en) * 2018-08-10 2019-01-01 Oppo广东移动通信有限公司 Localization method, positioning device, mobile terminal and storage medium
CN109814143A (en) * 2019-02-19 2019-05-28 百度在线网络技术(北京)有限公司 Perceptual positioning switching method, device, server and the system of automatic driving vehicle
CN110475340A (en) * 2018-05-10 2019-11-19 维沃移动通信有限公司 DCI transmission method, terminal and base station

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072439A (en) * 2007-06-18 2007-11-14 中兴通讯股份有限公司 Cell locking method for mobile terminal
CN101370296A (en) * 2008-09-12 2009-02-18 ***通信集团江苏有限公司 Method for implementing active user position acquirement based on intelligent cooperation of service platform and STK card
CN101534481A (en) * 2009-01-12 2009-09-16 刘武强 Method and system for mobile station location based on special short message, and use of the same
US20130201964A1 (en) * 2010-02-04 2013-08-08 Lg Electronics Inc. Method and apparatus for transceiving data in a wireless communication system which supports a plurality of component carriers
US20110217995A1 (en) * 2010-03-03 2011-09-08 Paloma Networks Sas Security mechanisms to protect sms exchange in telecommunication networks
CN108235247A (en) * 2017-12-29 2018-06-29 上海应用技术大学 A kind of node positioning method and its device
CN108901068A (en) * 2017-12-29 2018-11-27 大唐终端技术有限公司 A kind of positioning system and method for LTE terminal
CN110475340A (en) * 2018-05-10 2019-11-19 维沃移动通信有限公司 DCI transmission method, terminal and base station
CN109121199A (en) * 2018-08-10 2019-01-01 Oppo广东移动通信有限公司 Localization method, positioning device, mobile terminal and storage medium
CN109814143A (en) * 2019-02-19 2019-05-28 百度在线网络技术(北京)有限公司 Perceptual positioning switching method, device, server and the system of automatic driving vehicle

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙大洋等: "室内定位技术综述", 《无人***技术》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113452423A (en) * 2021-06-29 2021-09-28 广州慧睿思通科技股份有限公司 Direction finding positioning method, equipment and storage medium
CN113905436A (en) * 2021-12-02 2022-01-07 北京蓝玛星际科技有限公司 Positioning method, positioning device, electronic equipment and storage medium
WO2023185575A1 (en) * 2022-03-28 2023-10-05 大唐移动通信设备有限公司 Information processing method, apparatus and readable storage medium

Also Published As

Publication number Publication date
CN112399361B (en) 2021-12-31

Similar Documents

Publication Publication Date Title
CN112399361B (en) Non-sensing positioning system and method for LTE terminal
CN105208645B (en) A kind of WIFI transmission power value adjusting method and device
US20230345409A1 (en) Positioning method on sidelink, terminal, and network side device
US9056767B2 (en) Dynamic access point based positioning
WO2010044872A1 (en) Wireless network-based location approximation
US8971428B2 (en) Cyclic shift delay detection using a channel impulse response
CN104349454A (en) Positioning processing method, user equipment, and positioning server
EP3751948A3 (en) Radio resource sensing and selecting method used by mobile device for wireless communication and mobile device using the same
CN109275146A (en) A kind of pseudo-base station detection method, terminal and computer readable storage medium
CN108901068A (en) A kind of positioning system and method for LTE terminal
US10736073B2 (en) SFN indication method, terminal device, and positioning server and system
CN111479290A (en) L TE-based dynamic monitoring method, system, server and storage medium
CN103369701B (en) A kind of method and device of Stochastic accessing
CN110663278B (en) Method for device-to-device communication and terminal device
CN110351059A (en) User equipment and its processing method and processing device to downlink signal
KR102371561B1 (en) 5g/lte based downlink monitoring units and method for estimating the number of access users in a cell using the same
WO2015168859A1 (en) Method and apparatus for determining position of user equipment
KR101375529B1 (en) Appratus and method for acquting uplink transmit timing in wireless mobile communication
CN110869910A (en) Search resource recommendation method and related product
CN108174462B (en) Data transmission method and device
CN107734533B (en) Method for detecting terminal access and related product
CN107820287B (en) Detect the method and Related product of terminal access
WO2023134615A1 (en) Communication method and communication apparatus
CN117979423B (en) Positioning method, positioning device, electronic equipment and storage medium
JP2015192261A (en) Positioning device, positioning system, positioning method, and positioning program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant