February 1, 2026 · 8 min read Your Phone Silently Sends GPS to Your Carrier — Here's How RRLP and LPP protocols let carriers silently extract your precise GPS coordinates from your phone's baseband. No app permissions, no notification, no consent dialog. The protocol was designed for 911 — but that's not all it's used for. Here's something that will ruin your morning: right now, your mobile carrier can send a silent command to your phone, and your phone will compute its exact GPS coordinates and send them back. No notification. No permission prompt. No indication whatsoever that it happened. This isn't a bug. It isn't a hack. It's a feature — baked into the cellular protocol stack since the early 2000s, operating at a layer so deep that your phone's operating system doesn't even know it's happening. The protocols are called RRLP (Radio Resource Location services Protocol) for 2G/3G networks, and LPP (LTE Positioning Protocol) for 4G/5G. Together, they form what's known as control-plane positioning — and they're the reason your carrier knows where you are with GPS-level precision, whether you want them to or not. How It Actually Works To understand why this is invisible, you need to understand how your phone's architecture is split. Every smartphone has two processors: The application processor (AP) — this runs iOS or Android, your apps, your location permissions The baseband processor (BP) — this runs the cellular modem firmware, handles radio communication, and talks directly to the cell tower These two processors are largely isolated. The baseband is a black box — it runs its own RTOS (real-time operating system), has its own firmware, and handles its own protocol stack. When your carrier sends a location request, it goes to the baseband, not to Android or iOS . Here's what the flow looks like: ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Carrier / │ │ Cell Tower │ │ Phone │ │ SMLC │────────▶│ (eNodeB) │────────▶│ Baseband │ │ │ LPP │ │ RRC │ Processor │ │ "Send me │ request │ │ │ │ │ your GPS" │ │ │ │ ┌────────┐ │ └──────────────┘ └──────────────┘ │ │ GPS │ │ │ │ chipset│ │ ◀ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ └────────┘ │ GPS coordinates (lat, lon, accuracy) │ │ │ App CPU has │ │ NO IDEA this│ │ happened │ └──────────────┘ The carrier's SMLC (Serving Mobile Location Centre) sends a positioning request over the control plane — the signaling channel used for call setup, handovers, and network management. This isn't user data. It's infrastructure-level signaling. The baseband receives the request, activates the GPS chipset, computes coordinates, and sends them back. The application processor — the part that runs your apps and enforces location permissions — is never involved. The Protocol Details RRLP (defined in 3GPP TS 04.31 ) was designed for GSM and UMTS networks. It supports two positioning methods: MS-Assisted — the phone takes raw GPS measurements and sends them to the network, which computes the position MS-Based — the phone computes the full GPS fix itself and sends back finished coordinates In MS-Based mode, the network first sends assistance data — satellite ephemeris, reference time, approximate position — to speed up the GPS fix. Then the phone does the math and returns a result. This is what a simplified RRLP message exchange looks like: // RRLP Measure Position Request (Network → Phone) { methodType: "msBased", // phone computes position positionMethod: "gps", // use GPS responseTime: 8, // seconds to respond accuracy: 20, // meters (requested) assistanceData: { referenceTime: 1706745600, referenceLocation: { lat: 28.6139, // approximate lat (Delhi) lon: 77.2090 // approximate lon }, navigationModel: { /* satellite ephemeris data */ } } } // RRLP Measure Position Response (Phone → Network) { locationEstimate: { lat: 28.614523, lon: 77.209112, altitude: 216, uncertainty: 12 // meters }, timestamp: 1706745608 } LPP (defined in 3GPP TS 36.355 ) is the 4G/5G successor. Same concept, more positioning methods — it adds OTDOA (Observed Time Difference of Arrival), ECID (Enhanced Cell ID), and in 5G Release 16+, NR positioning with sub-meter accuracy. But the core principle is identical: the network asks, the baseband answers, the OS never knows . The critical detail: RRLP requires no authentication . The phone doesn't verify that the location request is legitimate, tied to an emergency call, or authorized by any legal process. The baseband just... responds. Harald Welte demonstrated this at HAR2009 back in 2009, proving that smartphones would hand over GPS coordinates to anyone who could send a properly formatted RRLP request via a rogue base station. Who's Been Using This? This capability was originally designed for E911 — the FCC mandate that mobile phones must be locatable when calling emergency services. Reasonable enough. But "designed for emergencies" and "restricted to emergencies" are very different things. Law enforcement: The quiet tool In 2006, the DEA was already using carr...