DR. SDR Part 3— GSM network passive reconnaissance using BladeRF

In the previous part (https://medium.com/@dr_takashi/dr-sdr-part2-installing-cellular-software-for-bladerf-yatebts-4e2632b17ef7), I provided instructions on setting up your bladeRF. Now, let’s move on to some practical exercises with the bladeRF by describing the process of GSM network passive reconnaissance. This will enable you to map all the local Base Transceiver Stations (BTS) in your area.

To begin, we need to install some software. Many older tutorials on the internet mention a tool called Kalibrate-RTL, but it does not work with the latest bladeRF firmware at the time of writing. Instead, we will use GR-GSM Scanner as an alternative. You can find it at https://github.com/ptrkrysik/gr-gsm.

Before proceeding, ensure that you have the following packages installed if you don’t already have them:

$ sudo apt install -y \
    cmake \
    autoconf \
    libtool \
    pkg-config \
    build-essential \
    python-docutils \
    libcppunit-dev \
    swig \
    doxygen \
    liblog4cpp5-dev \
    python-scipy \
    python-gtk2 \
    gnuradio-dev \
    gr-osmosdr \
    libosmocore-dev

To download and install GR-GSM Scanner, you can use the following commands:

$ git clone https://gitea.osmocom.org/sdr/gr-gsm
$ cd gr-gsm
& mkdir build
& cd build
& cmake ..
& mkdir $HOME/.grc_gnuradio/ $HOME/.gnuradio/
& make
& sudo make install
& sudo ldconfig

Once you have successfully compiled and installed GR-GSM Scanner, you can search for local base stations using the following command:

$ sudo grgsm_scanner -b <frequency (GSM900, PCS1900 etc.)> --args="bladerf=0"

Running this command with sudo privileges will start the GR-GSM Scanner tool and initiate the scanning process. It will search for nearby Base Transceiver Stations (BTS) in your area and display relevant information such as their frequencies, signal strength, and Cell ID.

Make sure you have your bladeRF device connected and properly configured before running the command. The scanning process may take some time, depending on the number of BTS in your vicinity.

When using GR-GSM Scanner, it’s important to note that it provides only the downlink frequency. To find the corresponding uplink frequency, you can utilize websites such as CellMapper (https://www.cellmapper.net/), Sqimway (https://www.sqimway.com/gsm_arfcn.php), or OpenCellID (https://opencellid.org/). These websites can help you determine the uplink frequency based on the downlink frequency provided by GR-GSM Scanner.

Furthermore, it’s crucial to use the appropriate arguments when running GR-GSM Scanner with bladeRF. Failure to do so may result in an error. Please refer to the documentation or instructions provided with GR-GSM Scanner to ensure the correct usage of arguments and parameters.

Typically, the scanning process using GR-GSM Scanner takes a few minutes. Once completed, you will receive output that provides information about the scanned base stations, including their frequencies, signal strengths, and other relevant details.

To find the uplink frequency we have to take Cell ARFCNs number:

For example for this tower:

We have:

Downlink frequency — 1931.4 MHz

Uplink frequency — 1851.4 MHz (based on cell ARFCN 518)

The next step is to install GQRX — an open source SDR receiver:

$ sudo apt install gqrx-sdr
$ gqrx -e

On the left top you should add frequency you want to receive and in the receiver options we need to have 0.

As I already mentioned, we are currently in the presence of a strong signal from the tower. To analyze the network traffic, we can open Wireshark and capture the data.

Regarding transmitting data from gqrx to the loopback interface, it may not be a straightforward process. However, there is an alternative solution available. You can utilize a tool from the gr-gsm package to listen to the network and capture the traffic.

By using the appropriate tool from the gr-gsm package, you can capture and analyze the network traffic without relying on gqrx for transmission to the loopback interface. This allows you to monitor and examine the network activity effectively.

$ sudo grgsm_livemon

To listen to the network traffic using the gr-gsm package and capture it in Wireshark, follow these steps:

1. Set the gain to 40 and frequency to the same frequency you are using in gqrx radio. This can be done using the appropriate commands or options in the gr-gsm package. Make sure to adjust the values accordingly.
2. Open Wireshark on your system.
3. Configure Wireshark to listen to the loopback (lo) interface. This can usually be done by selecting “Loopback” or “lo” as the capture interface in the Wireshark interface.
4. Apply the following filters in Wireshark to focus on the desired traffic:

• !icmp: Excludes ICMP packets from the capture.
• gsmtap: Captures only GSMTAP packets, which are the GSM protocol packets.

Applying these filters ensures that Wireshark captures only the relevant network traffic for analysis.

Once configured, Wireshark will start capturing the network traffic on the loopback interface with the specified filters applied. You can then analyze the captured packets to gain insights into the GSM network activity.

In the next part, we will discuss how to decrypt the captured data. Decrypting the captured data allows you to access and analyze the actual contents of the encrypted GSM network traffic. This process involves extracting the encryption keys used in the GSM network and using them to decrypt the captured packets.