Sniffing GSM network using SDR scanning

Caution: The research experiments are conducted in faraday bag controlled environment. Any uncontrolled imitation in the real world environment may have regulatory/legal consequences for which you yourself would be responsible!

I) Environment setup

Operating System Used: SigIntOS / GNU Radio LiveCD

Hardware Used: RTL-SDR/HackRF/Bladerf

1. Installing and compiling dependencies

sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy

2. Compiling gr-gsm

git clone https://github.com/ptrkrysik/gr-gsm.git

cd gr-gsm

mkdir build

cd build

cmake ..

make

sudo make install

sudo ldconfig

3. Compile kalibrate

kalibrate-hackrf (HackRF user)

git clone https://github.com/scateu/kalibrate-hackrf.git

cd kalibrate-hackrf

./bootstrap

./configure

make

sudo make install

kalibrate-rtl (RTL-SDR users)

git clone https://github.com/steve-m/kalibrate-rtl.git

cd kalibrate-hackrf

./bootstrap

./configure

make

sudo make install

II) Scanning base station

1. kal

kal

error: must enter channel or frequency

kalibrate v0.4.1-hackrf, Copyright © 2010, Joshua Lackey

modified for use with hackrf devices, Copyright © 2014, scateu@gmail.com

Usage:

GSM Base Station Scan:

kal <-s band indicator> [options]

Clock Offset Calculation:

kal <-f frequency | -c channel> [options]

Where options are:

-s band to scan (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)

-f frequency of nearby GSM base station

-c channel of nearby GSM base station

-b band indicator (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)

-a rf amplifier enable

-g vga (bb) gain in dB, 0–40dB, 8dB step

-l lna (if) gain in dB, 0–62dB, 2dB step

-d rtl-sdr device index

-e initial frequency error in ppm

-E manual frequency offset in hz

-v verbose

-D enable debug messages

-h help

kal -s GSM900 -g 40 -l 40

2. gr-gsm (HackRF, BladeRF)

There are scripts for scanning and decoding gsm traffic in App directory of compiled gr-gsm project.

3. Bladerf combined with SDR-sharp

Through above method, we obtained some information of the base station, such as: center frequency, channel, ARFCN value, LAC, MCC, MNC value, etc...

Are there other ways for Windows users to determine the center frequency of the base station?
Windows users can confirm the operating frequency of the base station through the SDR-sharp waterfall chart. We first need to install the hardware driver for it. Please refer to: https://github.com/jmichelp/sdrsharp-bladerf for details

Copy SDRSharp.BladeRF.dll in the Release directory to the SDR home directory;

Copy all dll files in the LibBladeRF directory in the GitHub project to the SDR main directory; add it to the FrontEnds.xml file

<add key=”BladeRF” value=”SDRSharp.BladeRF.BladeRFIO,SDRSharp.BladeRF” />

Load BladeRF’s FPGA firmware in SDR-sharp:

Final effect!

II) Sniffer sniffing

Through scanning, we obtained the base station’s center frequency, channel, ARFCN value, LAC, MCC, MNC value and other parameter information:

The above figure shows that GSM base station signals are found at the two center frequencies of 937.4MHz and 940.4MHz.

ubuntu@ubuntu:~/gr-gsm/apps$ ls

CMakeLists.txt grgsm_livemon grgsm_livemon.py helpers

grgsm_decode grgsm_livemon.grc grgsm_scanner README

ubuntu@ubuntu:~/gr-gsm/apps$ grgsm_livemon -h

linux; GNU C++ version 4.8.4; Boost_105400; UHD_003.010.git-197-g053111dc

Usage: grgsm_livemon: [options]

Options:

-h, — help show this help message and exit

— args=ARGS Set Device Arguments [default=]

-f FC, — fc=FC Set fc [default=939.4M]

-g GAIN, — gain=GAIN Set gain [default=30]

-p PPM, — ppm=PPM Set ppm [default=0]

-s SAMP_RATE, — samp-rate=SAMP_RATE

Set samp_rate [default=2M]

-o SHIFTOFF, — shiftoff=SHIFTOFF

Set shiftoff [default=400k]

— osr=OSR Set OSR [default=4]

Let’s sniff the 937.4MHz base station:

grgsm_livemon -f 937.4

The terminal on the right shows that the base station communication data packet has been successfully captured.

III) Decode decryption

1. Installing WireShark

apt-get install wireshark

2. Sniffing & Decryption

ubuntu@ubuntu:~/gr-gsm/apps$ ls

CMakeLists.txt grgsm_livemon grgsm_livemon.py helpers

grgsm_decode grgsm_livemon.grc grgsm_scanner README

ubuntu@ubuntu:~/gr-gsm/apps$ gnuradio-companion grgsm_livemon.grc

Executing GRC flow graph

sudo wireshark -k -Y ‘gsmtap && !icmp’ -i lo

The captured packets are as follows:

For the decryption method, please refer to GitHub:

https://github.com/ptrkrysik/gr-gsm/wiki/Usage#decoding-hopping-channels

https://github.com/ptrkrysik/gr-gsm/wiki/Usage:-Decoding-How-To