So the usual view is that the capabilities we hear of the NSA having (keeping phone on even when it appears to be off, using GPS etc to locate the phone, transmitting microphone in the background, etc) is enabled in the baseband, when it receives coded requests from the network.
It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.
No. You are linking to lawful interception documents. That is not handled in the phone or base station but in the core network. You can not use it to track or listen to shut off devices.
It'd be interesting if reverse engineering of the baseband could find those capabilities and see what's really possible and how it works.