wifi-geolocate is a project in the making.

— Geolocate any devices, anywhere, where any WIFI channel can be seen even if not authenticated.


Enhancing the geographic location of a mobile device using public, not associated WIFI signal

Multiple way exists to determine the geographic location of a mobile device. Using directly internet or by using the cellular network (HSPA, LTE, WiMaX, CDMA). The proposal will add a new way by using public WIFI network anonymously.

This will bring new capability like such;

  1. Having a device without cellular or GPS hardware, the said device will be able to have a basic geographic localization enabled if the device support WIFI. (like for mobile sport device, tracking device, etc..)
  1. It will greatly enhance geographic localization of a cellular device when only one cellular tower covers the area where the device is standing. Such enhancement will help in urgency call or any other example where the tracking become a priority.
  1. It would enhance GPS device that can be affected by line of sigh obstacle for geographic localization.

All the proposed change inside this document is backward compatible with actual device to allow an easy implantation.


For the full Abstract please see there


For an actual implantation test please see there

A simple technical example with hostapd

Example we have an accesspoint located at that point : 48.2435112812535,-79.04041822286098 (That is there on googlemap)

We put the access point to show that info to everyone near:

Due a limitation of hostapd, I will make sure only one IE is added, thus I will do a text to hex from “48.2435112812535|-79.04041822286098”, which become:

48.2435112812535|-79.04041822286098 = 34382e323433353131323831323533357c2d37392e3034303431383232323836303938

We need a divisible per 2 LEN, so we add a | to our string.

48.2435112812535||-79.04041822286098 = 34382e323433353131323831323533357c7c2d37392e3034303431383232323836303938

Now the LEN is 36 (0x24)

Now we play with the vendor specific tag in the WIFI beacon message

The message is ID (DD) + LEN(x) + OUI(xxxxxx) + our info


nb. I choosed the OUI 555555 as it’s not used yet. 111111 is for private use, but in case someone else already use it for another reason I didnt choose it.

There is a running printscreen with that flag:



On a linux desktop the command iwlist scan wlanX will show the vendor tag

My next step is to create mobile app to read those coordinate in real time. Stay tuned !





Philippe Lévesque