Sniffing GSM900 and DCS1800

The commands are repeated every time in this guide (--args=rtl=0 and --args=rtl=1), as this was an attempt to capture a voice call without hopping. For dealing with hopping, see the other guide.

Bands

        uplink          downlink

P-GSM-900   890.0 – 915.0     935.0 – 960.0
E-GSM-900   880.0 – 915.0     925.0 – 960.0
DCS-1800    1710.2 – 1784.8       1805.2 – 1879.8

Strongest tower

More readable power output than with Kalibrate, plus MCC/MNC

    mkdir -p capture/
    cd capture/
echo $ppm

grgsm_scanner -h | less

#RTL
grgsm_scanner --band=GSM900  --gain=34 --speed=5 --args=rtl=0 --ppm="$ppm" | tee GSM900.RTL
grgsm_scanner --band=DCS1800 --gain=34 --speed=5 --args=rtl=0 --ppm="$ppm" | tee DCS1800.RTL
#--verbose

#HRF
grgsm_scanner --band=GSM900  --gain=32 --speed=5 --args=hackrf=0 --ppm="$hppm" | tee GSM900.HRF
grgsm_scanner --band=DCS1800 --gain=32 --speed=5 --args=hackrf=0 --ppm="$hppm" | tee DCS1800.HRF

#RTL
sort -h -k2,2 GSM900.RTL #ARFCN
sort -h -k12,12 GSM900.RTL #MNC
sort -rh -k14,14 GSM900.RTL > GSM900.RTL.Pwr
sort -rh -k14,14 DCS1800.RTL > DCS1800.RTL.Pwr

#HRF
sort -rh -k14,14 GSM900.HRF > GSM900.HRF.Pwr
sort -rh -k14,14 DCS1800.HRF > DCS1800.HRF.Pwr

arfcn=

Capture downlink

Notes

Proceed

grgsm_capture -h | less

#RTL
grgsm_capture --arfcn=$arfcn --ppm="$ppm" --rec-length=70 --args=rtl=0 --gain=34 --cfile=$arfcn.cfile
#--gain=42

#HRF
grgsm_capture --arfcn=$arfcn --ppm="$hppm" --rec-length=70 --args=hackrf=0 --gain=32 --cfile=$arfcn.cfile
#--if-gain=32 --bb-gain=20

BCCH timeslot 0

    wireshark -k -Y '!icmp && gsmtap' -i lo &
#'!icmp && !tcp && !mdns'

grgsm_decode -h | less
grgsm_decode --arfcn=$arfcn --mode=BCCH --timeslot=0 --cfile=$arfcn.cfile

slot=
sub=

SDCCH/8 timeslot X subslot Y

echo $arfcn
echo $slot
echo $sub

grgsm_decode -h | less
grgsm_decode --cfile=$arfcn.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$slot --subslot=$sub --print-bursts > $arfcn.${slot}S$sub

wc -l $arfcn.${slot}S$sub

A5/1 Cracking

Once you’ve gone through the painful process of cracking A5/1

grgsm_decode --cfile=$arfcn.hrf.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$ --subslot=$sub --a5=1 --kc=KEY-HERE

Troubles

Aug 14, 2016 grgsm_capture.py sample rate error #208 https://github.com/ptrkrysik/gr-gsm/issues/208

Aug 16, 2015 Recording traffic data #114 https://github.com/ptrkrysik/gr-gsm/issues/114

Jun 20, 2015 Code refactoring from other projects (Osmocom, OpenBTS…) #70 https://github.com/ptrkrysik/gr-gsm/issues/70

Feature Requests

Resources

gr-gsm mailing-list https://groups.google.com/forum/#!forum/gr-gsm

https://lists.osmocom.org/mailman/listinfo/gr-gsm

Um interface https://en.wikipedia.org/wiki/Um_interface

Sniffing GSM traffic with HackRF. https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

GSM Hacking Part① :使用SDR扫描嗅探GSM网络 https://www.bbsmax.com/A/Gkz1okPZ5R/


NETHENCE | PUB | LAB