Deal with hopping

multirtl | hackrf-sox & channelize | hopping



First make sure you’ve got a valid broadcast capture by decoding BCCH

wireshark -k -Y 'gsm_a.dtap.msg_rr_type == 0x3f' -i lo &

grgsm_decode -a $arfcn -m BCCH -t 0 -c CFILE
grgsm_decode -a 673 -m BCCH -t 0 -c tele2hop.hrf/out_673.cfile
#-s $rate --ppm=$ppm

Then check if some frames are passing through without hopping on dedicated control channel, that happens (probably thanks to heavy-duty error correction, as Sylvain M. suggested)

!icmp && !tcp && !mdns

grgsm_decode -a $arfcn -m SDCCH8 -t $slot -c CFILE
grgsm_decode -a 673 -m SDCCH8 -t 1 -c tele2hop.hrf/out_673.cfile

also check the very subchannel you would be targetting according to the IA and add

-u 0

–or– further tune with the wireshark filter

gsmtap.sub_slot == 0

De-hopping SDCCH/8

Grab the GRC template


gnuradio-companion grgsm_hopping_example.grc

and tune many things

Note: ARFCN order+order or disorder+disorder works here on Tele2


Run while watching the frames live

#gsmtap && !icmp
    !icmp && !tcp && !mdns
    gsmtap.sub_slot == 0 && !icmp

and look more precisely for SI5, SI6, idling frames and Ciphering Mode Command

gsm_a.dtap.msg_rr_type == 0x35 && !icmp
#gsm_a.rr.algorithm_identifier == 0 && !icmp
#gsm_a.rr.SC == 1




13 Feb 2019 - Frequency hopping!msg/gr-gsm/0VgwCrHmb_M/Xe7iznuHCwAJ —> connect C0 if BCCH is part of the ARFCN list —> channelized sample rate needs to be multiple of wide band sample rate –> USRP wideband capture –> channelize –> smaller decoding sample rate e.g. 800e3

28 Aug 2018 - hopping channel!topic/gr-gsm/ueyCxh3sZUY

Sep 4, 2017 Decrypt SMS on hopping SDCCH8 channel #328 –> CM Service Request shows called TMSI

Oct 17 2016 Russian style troubleshooting

Jul 21, 2015 uplink-decoding #94 –> issues with hopping on uplink –> TSEQ

15/06/2017 Immediate Assignment with hopping!topic/gr-gsm/jDHG6X5gOqA –> no chance with Packet Channel Description

Aug 9, 2015 Channel hopping improvements #105

May 18, 2015 - Proposal: channel hopping #51 –> sample hopping –> step by step process with grc blocks

GSM receiver with gr-gsm and Wireshark

specs & TSEQ

Page 19 / Layers

Page 12 / TSEQ & Page 15 / MAIO

Training sequence in a GSM frame?

Page 117 Hopping