last updated: 2023/06/02

- Acronyms:
	- GNSS		global navigation satellite system		https://en.wikipedia.org/wiki/Satellite_navigation
	- A-GNSS	assisted GNSS					https://en.wikipedia.org/wiki/Assisted_GNSS
	- SBAS		satellite based augmentation systems		https://en.wikipedia.org/wiki/GNSS_augmentation
	- TTFF		time to first fix				https://en.wikipedia.org/wiki/Time_to_first_fix
	- NLP		network location provider			https://en.wikipedia.org/wiki/Wi-Fi_positioning_system
	- PSDS		predicted satellite data service
	- SUPL		secure user plane location			https://en.wikipedia.org/wiki/Assisted_GPS#SUPL
	- MSA		mobile station assisted				https://en.wikipedia.org/wiki/Assisted_GPS#Modes_of_operation
	- MSB		mobile station based				https://en.wikipedia.org/wiki/Assisted_GPS#Modes_of_operation


- GNSS is any of GPS (US), GLONASS (RU), Beidou (CN), and Galileo (EU).
	- GNSS satellites can be further helped via SBAS (eg. land towers or ocean buoys).
- GNSS TTFF is slow due to the data rates and distances.
- GNSS TTFF can be sped up by using PSDS or A-GNSS.


- While waiting for a GNSS lock or when an accurate location isn't necessary a NLP can be used instead.
	- NLP does not reduce the GNSS TTFF.
	- NLP typically works by using Wi-Fi access points against a database of their locations and can be very accurate.
	- Examples of NLP are Google Play Services, Qualcomm IZat, and microG's UnifiedNlp.
		- Google and Qualcomm NLP handling performs lookups on their servers allowing them to effectively know your location.
		- UnifiedNlp has both online (eg. Ichnaea) and offline (eg. Deja Vu) databases.
	- Google NLP
		- Can be avoided by not having Google Play Services.
		- Likely is tied to your Google account.
	- Qualcomm NLP
		- Is typically opt-in.
		- Is not on all Qualcomm devices as they charge vendors extra to license it.
		- Includes lots of additional personal or device information:
			- "Qualcomm Location Service": https://www.qualcomm.com/site/privacy/services
		- DivestOS explicitly removes most of the Qualcomm location stack, including this NLP, since 2017/01.


- A-GNSS has control plane and user plane (SUPL).
	- Control plane handling won't be covered here due to needing more research.
	- SUPL is a two-way street, as in the server and client can ask each other to do things.
	- SUPL can provide the almanac as well as ephemeris data.
	- SUPL MSA works by the client sending the server everything it knows so the server can calculate location.
		- This mode allows the server to effectively know your location.
		- DivestOS has disabled MSA since 2018/08/08
	- SUPL MSB works by the server sending everything it knows to the client so the client can calculate location.
	- SUPL requests may contain visible cell towers and their signal strengths.
	- SUPL (MSB) requests on Android typically include the IMSI, MCC, and MNC.
		- Kuketz publicized the IMSI issue first on 2018/10/04: https://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/
		- Many aftermarket systems do not include the IMSI:
			- MSe1969 authored the original patch sometime around or before 2018/10/29
			- DivestOS since 2019/06/02: https://gitlab.com/divested-mobile/divestos-build/-/commit/bb72bccbe
			- GrapheneOS since 2023/01/25: https://grapheneos.org/releases#2023012500
			- CalyxOS since 2023/03/16: https://calyxos.org/news/2023/03/16/march-update/
			- LineageOS 20.0 since 2023/03/12: https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/350287
			- iodéOS since late 2021/early 2022?
	- Android uses supl.google.com as a fallback SUPL server.
		- Carrier config or SIM card can override this.
		- An emergency call can also override this.
			- This functionality may have been abused (by carriers) to gather accurate locations when not actually in an emergency call.
				- https://nvd.nist.gov/vuln/detail/CVE-2018-9526
		- supl.google.com only supports MSB.
		- GrapheneOS provides a proxy override for this since 2023/03/04: https://grapheneos.org/releases#2023030400
		- Some aftermarket systems change the fallback to supl.vodafone.com which is actually just a CNAME to supl.google.com.
	- Some aftermarket systems allow the user to disable use of SUPL:
		- GrapheneOS since 2023/02/10: https://grapheneos.org/releases#2023021000
		- DivestOS 17.1+ since 2023/02/11: https://divestos.org/pages/news#2023-02
		- CalyxOS since 2023/03/16: https://calyxos.org/news/2023/03/16/march-update/
			- LineageOS has this same SUPL/PSDS/XTRA toggle pending: https://review.lineageos.org/q/topic:agps
		- iodéOS since 2023/02/11?


- PSDS is used to download the almanac of the current satellites and their paths.
	- Fetching this file over the Internet is much quicker than waiting for it to be slowly broadcasted.
	- This is typically a static request for a file.
	- Broadcom GPS chips (eg. Samsung Exynos, Google Tensor, and NVIDIA Tegra)
		- The PSDS server is typically defined by the carrier config.
			- Tensor devices use agnss.goog.
			- Others use the plain gllto.glpals.com.
				- DivestOS overrides Tensor to this as well.
			- GrapheneOS provides a proxy for this request since 2022/04/19: https://grapheneos.org/releases#2022041900
		- The PSDS requests are performed by the Android system (frameworks/base), not the GPS stack.
		- These PSDS requests are not known to contain any personal or device information.
	- Qualcomm GPS chips
		- The PSDS server is typically defined by the GPS stack.
			- This is usually xtrapath[1-9].izatcloud.net.
			- The Android system could override the server chosen.
				- As of 2023/04/30 no aftermarket systems override or proxy these requests.
		- The PSDS requests are performed by the GPS stack, specifically xtra-daemon or libloc.
		- The PSDS requests have a User-Agent containing Android version, device manufacturer & model, carrier, and chipset serial number.
			- "Qualcomm GNSS Assistance Service": https://www.qualcomm.com/site/privacy/services
			- With `strings` this can be seen grep'ing for: `/sys/devices/soc0/serial_number` and `XTRA_UA`
			- With libloc source code access this can be seen as: setXtraUserAgent(), proc(), saveUserAgentString(), and getChipsetSerialNo()
		- The PSDS requests may be performed over plain-HTTP, especially if they were before 2018 or so
			- https://nvd.nist.gov/vuln/detail/CVE-2016-5341
		- DivestOS has removed xtra-daemon since 2017/01: https://divestos.org/pages/network_connections#psds
		- DivestOS has removed serial number access since 2023/05/03
		- DivestOS has removed the User-Agent from source-built libloc since 2023/05/05
		- GrapheneOS removes serial number access and User-Agent from xtra-daemon since 2023/04/29: https://grapheneos.org/releases#2023042900
		- CalyxOS removes serial number access since 2023/06/02: https://calyxos.org/news/2023/06/02/feature-update/
			- LineageOS has this same patchset pending: https://review.lineageos.org/q/I6254ef6e160ff0d3c3ce2e51f20f557e75826dff
	- Some aftermarket systems allow the user to disable use of PSDS & XTRA:
		- GrapheneOS has a toggle since 2023/05/05: https://grapheneos.org/releases#2023050500
		- CalyxOS has a toggle since 2023/06/02: https://calyxos.org/news/2023/06/02/feature-update/
			- LineageOS has this same SUPL/PSDS/XTRA toggle pending: https://review.lineageos.org/q/topic:agps
				- DivestOS & iodéOS should have this toggle on 20.0 after it merges


See something wrong? Open an issue or merge request:
- https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/static/misc/gnss.txt
- https://github.com/Divested-Mobile/DivestOS-Website/blob/master/static/misc/gnss.txt