Multi-RTL for Hopping

If you are new to GSM, start without hopping

Introduction

I de-hopped an SDDCH/8 by using mutlirtl_rx_to_cfile_2chan.py and editing hopping/grgsm_hopping_example.grc accordingly.

Why do some packets pass through without hopping? Before looking for hopping sequences, I first checked the SDDCH/8 without it. Surprise, I can see some rare Ciphering Mode Command over there, already. How can this be?

It can work even without soldering. Multi-RTL is supposed to work with a soldered clock source, but I was able to decode a hopping SDDCH/8 with non-soldered dongles as well: the PPM need to be close enough, that’s all (and use a center value in the grgsm_hopping_example.grc settings).

Requirements

apt install gr-osmosdr gnuradio-dev cmake swig build-essential doxygen python-scipy
apt install python-numpy python-matplotlib python-tk

ppm=-23
arfcn=XX

kalibrate-rtl/src/kal -c $arfcn -g 40 -d 1 -e $ppm
kalibrate-rtl/src/kal -c $arfcn -g 40 -d 0 -e $ppm

ppm=-15

identify hopping

watch out live

wireshark -k -Y gsmtap -i lo &
grgsm_livemon_headless -h
grgsm_livemon_headless --args=rtl=0 -g 40 -p $ppm -f `arfcncalc -a $arfcn -d`

look for hopping friends (SI1)

tshark -Y 'gsm_a.dtap.msg_rr_type == 0x19' -i lo -T text -V

then define the second arfcn (assuming only two)

arfcn2=XX

look for IAs and check the Mobile Allocation bitmap

tshark -Y 'gsm_a.dtap.msg_rr_type==0x3f && gsm_a.rr.hopping_channel_maio == 0' -i lo -T text -V
# && gsm_a.rr.hsn == 49

Installation

git clone https://github.com/ptrkrysik/multi-rtl.git
cd multi-rtl/
mkdir build/
cd build/
cmake ../
make install
ldconfig

Capture

multi-rtl/examples/mutlirtl_rx_to_cfile_2chan.py -h

#rate=1083333.3333333333
#rate=1.2e6
rate=1.8e6
date; date=`date +%s`; multi-rtl/examples/mutlirtl_rx_to_cfile_2chan.py \
--ch0-id-string="00000001" \
--ch1-id-string="00000002" \
-r $rate \
--sync-freq `arfcncalc -a $arfcn -d` \
--sync-gain-ch0 40 \
--sync-gain-ch1 40 \
--freq-ch0 `arfcncalc -a $arfcn -d` \
--freq-ch1 `arfcncalc -a $arfcn2 -d` \
--gain-ch0 40 \
--gain-ch1 40 \
--fname-ch0 /data/gsm/$date.$arfcn.$rate.$ppm.cfile \
--fname-ch1 /data/gsm/$date.$arfcn2.$rate.$ppm.cfile
#-p THIS IS NOT PPM \
#--ch0-id-string="+52" \
#--ch1-id-string="+44" \

ls -lhF /data/gsm/$date.*.cfile
df -h /data/

Decoding BCCH

wireshark -k -Y 'gsm_a.dtap.msg_rr_type == 0x3f' -i lo &

grgsm_decode -h
#grgsm_decode -c /data/gsm/$date.$arfcn.$rate.$ppm.cfile -a $arfcn -s $rate --ppm=$ppm
grgsm_decode -c /data/gsm/$date.$arfcn.$rate.$ppm.cfile -a $arfcn -s $rate -m BCCH -t 0 --ppm=$ppm

echo $date.$arfcn.$rate.bcch $ppm

--> save as /data/gsm/$date.$arfcn.$rate.bcch.pcapng

tshark -2 -R 'gsm_a.dtap.msg_rr_type == 0x19' -r /data/gsm/$date.$arfcn.$rate.bcch.pcapng -T text -V | grep 'List of ARFCNs' | uniq
tshark -2 -R 'gsm_a.dtap.msg_rr_type == 0x3f && gsm_a.rr.hopping_channel_maio == 0' -r /data/gsm/$date.$arfcn.$rate.bcch.pcapng -T text
tshark -2 -R 'gsm_a.dtap.msg_rr_type == 0x3f && gsm_a.rr.hopping_channel_maio == 0' -r /data/gsm/$date.$arfcn.$rate.bcch.pcapng -T text -V | egrep 'Subchannel:|Timeslot:|Training Sequence:|Hopping channel MAIO:|HSN:' | sort -u

Decoding SDCCH/8 w/o hopping

sometimes full and valid frames are passing through w/o hopping

!icmp && !tcp && !mdns

grgsm_decode -h
echo $date $rate $ppm
grgsm_decode -c /data/gsm/$date.$arfcn.$rate.$ppm.cfile -a $arfcn -s $rate -m SDCCH8 -t 2 --ppm=$ppm

Decoding SDCCH/8 w/ hopping

wget https://raw.githubusercontent.com/ptrkrysik/examples/master/frequency_hopping/grgsm_hopping_example.grc
wget https://raw.githubusercontent.com/ptrkrysik/examples/master/frequency_hopping/airprobe_rtlsdr_multi.grc

gnuradio-companion hopping/grgsm_hopping_example.grc
cp -i hopping/grgsm_hopping_example_.grc hopping/grgsm_hopping_example.$date.$rate.grc
gnuradio-companion hopping/grgsm_hopping_example.$date.$rate.grc

Ciphering

now look for ciphering,

gsm_a.rr.algorithm_identifier == 0
gsm_a.dtap.msg_rr_type == 0x35
gsm_a.rr.SC == 1

tshark -2 -R 'gsm_a.dtap.msg_rr_type == 0x35' -r $arfcn.$ts.S.pcapng -T text
tshark -2 -R 'gsm_a.dtap.msg_rr_type == 0x35' -r $arfcn.$ts.S.pcapng -T text -V | grep 'Algorithm identifier:'

Resources

Multi-RTL

PPM vs Frequency Correction

Hopping

13 Feb 2019 - Frequency hopping https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/gr-gsm/0VgwCrHmb_M/Xe7iznuHCwAJ –> USRP wideband capture –> channelize –> smaller decoding sample rate e.g. 800e3

28 Aug 2018 - hopping channel https://groups.google.com/forum/#!topic/gr-gsm/ueyCxh3sZUY

Sep 4, 2017 Decrypt SMS on hopping SDCCH8 channel #328 https://github.com/ptrkrysik/gr-gsm/issues/328 –> CM Service Request shows called TMSI

Oct 17 2016 Russian style troubleshooting https://dmyt.ru/forum/viewtopic.php?t=1726

Jul 21, 2015 uplink-decoding #94 https://github.com/ptrkrysik/gr-gsm/issues/94 –> issues with hopping on uplink –> TSEQ

15/06/2017 Immediate Assignment with hopping https://groups.google.com/forum/#!topic/gr-gsm/jDHG6X5gOqA –> no chance with Packet Channel Description

Aug 9, 2015 Channel hopping improvements #105 https://github.com/ptrkrysik/gr-gsm/issues/105

May 18, 2015 - Proposal: channel hopping #51 https://github.com/ptrkrysik/gr-gsm/issues/51 –> sample hopping –> step by step process with grc blocks

Specs & TSEQ


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml