Sniffing GSM900 and DCS1800

The commands are repeated every time in this guide (--args=rtl=0 and --args=rtl=1), as this was an attempt to capture a voice call without hopping. For dealing with hopping, see the other guide.


        uplink          downlink

P-GSM-900   890.0 – 915.0     935.0 – 960.0
E-GSM-900   880.0 – 915.0     925.0 – 960.0
DCS-1800    1710.2 – 1784.8       1805.2 – 1879.8

Strongest tower

More readable power output than with Kalibrate, plus MCC/MNC

    mkdir -p capture/
    cd capture/
echo $ppm

grgsm_scanner -h | less

grgsm_scanner --band=GSM900  --gain=34 --speed=5 --args=rtl=0 --ppm="$ppm" | tee GSM900.RTL
grgsm_scanner --band=DCS1800 --gain=34 --speed=5 --args=rtl=0 --ppm="$ppm" | tee DCS1800.RTL

grgsm_scanner --band=GSM900  --gain=32 --speed=5 --args=hackrf=0 --ppm="$hppm" | tee GSM900.HRF
grgsm_scanner --band=DCS1800 --gain=32 --speed=5 --args=hackrf=0 --ppm="$hppm" | tee DCS1800.HRF

sort -h -k2,2 GSM900.RTL #ARFCN
sort -h -k12,12 GSM900.RTL #MNC
sort -rh -k14,14 GSM900.RTL > GSM900.RTL.Pwr
sort -rh -k14,14 DCS1800.RTL > DCS1800.RTL.Pwr

sort -rh -k14,14 GSM900.HRF > GSM900.HRF.Pwr
sort -rh -k14,14 DCS1800.HRF > DCS1800.HRF.Pwr


Capture downlink



grgsm_capture -h | less

grgsm_capture --arfcn=$arfcn --ppm="$ppm" --rec-length=70 --args=rtl=0 --gain=34 --cfile=$arfcn.cfile

grgsm_capture --arfcn=$arfcn --ppm="$hppm" --rec-length=70 --args=hackrf=0 --gain=32 --cfile=$arfcn.cfile
#--if-gain=32 --bb-gain=20

BCCH timeslot 0

    wireshark -k -Y '!icmp && gsmtap' -i lo &
#'!icmp && !tcp && !mdns'

grgsm_decode -h | less
grgsm_decode --arfcn=$arfcn --mode=BCCH --timeslot=0 --cfile=$arfcn.cfile


SDCCH/8 timeslot X subslot Y

echo $arfcn
echo $slot
echo $sub

grgsm_decode -h | less
grgsm_decode --cfile=$arfcn.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$slot --subslot=$sub --print-bursts > $arfcn.${slot}S$sub

wc -l $arfcn.${slot}S$sub

A5/1 Cracking

Once you’ve gone through the painful process of cracking A5/1

grgsm_decode --cfile=$arfcn.hrf.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$ --subslot=$sub --a5=1 --kc=KEY-HERE


Aug 14, 2016 sample rate error #208

Aug 16, 2015 Recording traffic data #114

Jun 20, 2015 Code refactoring from other projects (Osmocom, OpenBTS…) #70

Feature Requests


gr-gsm mailing-list!forum/gr-gsm

Um interface

Sniffing GSM traffic with HackRF.

GSM Hacking Part① :使用SDR扫描嗅探GSM网络