Given the availability of coherent receivers, and the increase in processing power available to general purpose machines, it should be possible to passively calculate in realtime or almost real time a precise position for devices emitting RF in a wide range of bands.

This has massive privacy implications; These systems have existed, but have previously been prohibitivly expensive and utilized mainly be state actors.

The system described below should allow for passive realtime positioning of every cellphone in a wide radius of ~2-3 blocks. The system is inexpensive, with the price point of under one thousand dollars. It also scales and could be added to linearly as funds become available.


  • Purchase 2 or more KerberosSDR systems. ( $140 USD at the current time ).
  • Purchase an equal number of compute devices that have a reasonable amount of processing power (2-4 cores, ~2ghz should be plenty).
  • Connect a single compute device to each SDR. Setup software to compute a compass position for each transmission that is received. The output should be a datastream that contains a frequency, and a compass position. The datastream should also include the GPS coordinates of the SDR that is collecting this data.
  • Collect the data from all the different coherent receivers in a central location, such as a public cloud provider.
  • Compute the intersecting point given the three different datastreams. The output of this should be a datastream with objects containing a GPS position, Frequency, and timestamp.
  • Visualize on a map overlay.

Use cases

The first use case that comes to mind is passively tracking cell phones. Being able to see a snapshot of the position of all cellphones in a given area has wide ranging applications, from security awareness of devices and therefor most likely a person, to density tracking, and passively tracking commute patterns. Imagine a system that is deployed at a city scale; Taking snapshots and correlating all RF on even a minute by minute basis would provide a very high degree of insight into the locations of cell phones.

Being able to find people in an earthquake or other natural disaster could be greatly sped up, as it is likely that a persons cell phone would be near or on them, even if they were not able to use it.

Another use case is the ability to track devices that emit small bursts on ISM bands. Such devices could be very small and inexpensive, consisting of a battery, a small IC that contains a realtime clock and a transmission circuit. Asset tracking becomes a lot more inexpensive, as currently technologies almost always rely on a GPS receiver. Circuits could be made that are less than a dollar, and operate for a relatively long period of time, such as a week or two.

Applications for inexpensive low cost position tracking are massive, from asset tracking, to tracking the location of a consumer packaged good after the purchase.

Challenges and issues

Efficent calculation of compass position locally

Assuming a bandwidth of 1Mhz, a single SDR with a analog to digital conversion bit depth of 12 would result in a 12mbit stream of raw samples. Given that the coherent receivers linked to above contain 4 of these, the bitrate of the raw samples would be ~48mbit.

Calculating compass position from these samples is CPU intensive, and doing it over a large bandwidth simply multiplies the number of concurrent or effectively concurrent operations the local compute node will have to make.

It should be possible to limit the number of compass calculations by filtering the raw samples in reasonable ways; This alone might be enough to allow for a modest CPU to perform adiquately. Especially if sampling of the samples were used.

Matching events in multiple datastreams

The datastream from each coherent receiver in raw samples is not insignificant, as the information contains a timestamp, frequency, and compass directionality. Transmitting the raw sample would not increase the bandwidth requirement all that much, as even at 1s samples, this information per receiver would be the bandwidth in bits multiplied by ~9 for the compass directionality. This assumes that the system would send the data to the server in a way that frequency can be calculated based on the position of the compass data within the entire dataset.

The result is merging datastreams that contain ~9mbit of compass information. Assuming at least two receivers, that gives us a system that has a datastream of inputs that are at least ~18mbit. Adding additional receivers should be possible, and only increase the accuracy of the calculation.


To be written..